Supermarket chain Asda has come under fire for sitting on a potentially serious set of web vulnerabilities on its website for almost two years.

As first reported by The Register on Monday, UK security consultant Paul Moore warned Asda about a shopping list of online vulnerabilities in March 2014.

Asda upped the grade of its TLS cipher soon afterwards but despite Moore’s dialogue with technology staff at the supermarket giant, it failed to tackle a number of troubling web vulnerabilities until Friday – and only then on the back of warnings its shortcomings were due to be publicly outed on the following morning.

The XSS (Cross-Site Scripting) and CSRF/XSRF (Cross-Site Request Forgery) vulnerabilities present on Asda’s website created a potential mechanism for hackers to access Asda customer account without requiring log-in details.

The same set of flaws would also have allowed hijackers the ability to steal payment information in cases where a customer opened another tab while shopping on the Asda website. That’s a much more difficult route into customer databases than, for example, SQL injection attack of the kind UK ISP TalkTalk infamously suffered last year.

Nonetheless, it’s still a tangible risk.

Moore first notified Asda of various serious security flaws on its website in March 2014, receiving an assurance that fixes would be applied in “in the next few weeks”. Only an SSL issue had been resolved by the time Moore sent Asda a harmless proof-of-concept demo in November 2015.

He finally ran out of patience this week, going public with the shortcomings of Asda’s site on Monday on what turned out to be a successful attempt to shame the supermarket chain into putting its website in order.

The Inter-linkable XSS and CSRF flaws on the Asda websites created a possible mechanism for cybercriminals to hack users’ accounts, as a video clip put together by Moore illustrates.

Moore admits he doesn’t know whether or not malicious hackers actually exploited these flaws to run attacks.

Independent security experts are critical of Asda’s handling of Moore’s bug report. Reports of breaches of Asda accounts occasionally crop up on social media sites with people complaining of fraud. These incidents probably come as a result of phishing rather than a website vulnerability that takes skill to exploit.

Asda itself denies the flaws discovered by Moore led to any harm much less fraud against its customers. The supermarket's representatives described the vulnerabilities as “very low risk to customers due to further protection we already have in place”.

“Asda and Walmart take the security of our websites very seriously and we review our systems and software regularly,” it said in an official statement prompted by inquiries on the issue by El Reg “The highlighted security issues are being dealt with and there is a very low risk to any customer information.”

The US-owned chain later said “there is no evidence of any customer information being compromised as a result of these issues” before adding it was implementing further “changes to improve the security on our website.”

“The small risk to customer information has been removed and an update has been applied,” a spokesman explained.

The supermarket’s case is that the flaws were minor and never posed a risk to customers, hence its decision not to act on them. Critics argue that Asda was guilty of making well known mistakes, included in the OWASP top 10 list, before ignoring an expert who brought the issue to their attention for nearly two years.

Asda's tardiness in fixing the flaws remain unexplained by the supermarket, even after El Reg asked it directly for comment on this point – which Moore is far from alone in noting.

Ross Brewer, vice president and managing director for international markets at security tools firm LogRhythm, commented: “A set of online security vulnerabilities have been identified on Asda’s online portal, which – unbelievably – the retailer knew about for nearly two years before taking action. This is just unacceptable, particularly for such a large, well-known company that has the resources and expertise in place to understand what the implications of lax security are.”

“With no XSRF protection throughout the site, these vulnerabilities could have potential long-term consequences for both Asda and its customers. This flaw not only provides an opportunity for hackers to access payment data – albeit a slim one – but it enables them to activate customers’ accounts without knowing their username or password. This raises the possibility of data theft, which could then be used for future phishing attacks or for fraud purposes,” he warned.

Security industry veteran Graham Cluley is similarly critical.

“Asda is owned by the US supermarket giant Walmart, and processes over 200,000 online orders each week. In short, any vulnerabilities which could be used to target Asda's online customers is a serious problem, and the company is not short of resources to deal with any problems discovered,” Clulely notes, adding that “despite having ample opportunity to resolve the issues - Asda has failed to do so. ®