by 
A security flaw in Alibaba’s international e-commerce site which put merchants at serious risk has been identified by an Israeli security firm. Alibaba’s growing English language site ‘AliExpress’ serves a number of foreign markets including the US, Russia and Brazil; however in late October, research from AppSec Labs found a vulnerability allowing for the hijacking of merchant accounts.
According to AppSec founder Erez Metula, the potential security breach would have allowed the attacker to change inventory lists, pricing and even close the merchants account. In an interview on Wednesday, Erez added that ‘they could change the price from a couple hundred dollars to one dollar, and so the bad guy could buy the product cheap.’
AppSec struggled to get in direct contact with Alibaba, despite attempting to reach the company with numerous phone calls and emails as soon as the findings were produced. It was only following AppSec’s formal disclosure to the Israeli press, that Alibaba reciprocated contact.
Metula suggested that the language barrier may have been the cause of the delay and said that ‘we don’t understand Chinese, and maybe they didn’t understand our email, which was in English.’ Alibaba has since stated in an email that they have fixed the problem and are continuing to monitor the situation. Whilst the ecommerce giant did not explain their delayed response to the findings, it stated that ‘the security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms.’
The Alibaba security flaw was only revealed because AppSec’s own researcher decided to test the sites vulnerability, as he is a regular shopper on the site. So regardless of whether the flaw is now rectified, it’s very disconcerting that it took a random security check from an outside source to identify it the first place.
P.S. If you like this post, you might enjoy our Appath eCommerce Newsletter. Receive the latest news, tips, tricks and hacks delivered straight to your inbox! Sign up here.