A critical, but easily exploitable personal information disclosure vulnerability has been discovered in the widely popular online marketplace AliExpress website that affects its millions of users worldwide.
The reported vulnerability could allow anyone to steal personal information of hundreds of millions of AliExpress users without knowing their account passwords.
AliExpress is an online marketplace owned by Chinese E-Commerce giant Alibaba.com, which offers more than 300 Million active users from more than 200 countries and regions to order items in bulk or one at a time at low wholesale prices.
Amitay Dan, an Israeli application security researcher working at Cybermoon.cc, reported the vulnerability to The Hacker News after providing full disclosure of the flaw to the AliExpress team and Israeli media.
According to the Proof-of-Concept video and screenshots provided by the security researcher to The Hacker News, AliExpress website allows logged in user to add/update their shipping address and contact number at the following URL i.e.
https://trade.aliexpress.com/mailingaddress/mailingAddress.htm?mailingAddressId=123456
Where "123456" is the user id of the logged in user. Researcher noticed that just by changing value of "mailingAddressId" parameter to a different value, one could easily exploit the validation flaw of the website to display the Mailing Address and contact information of the respective user on the same webpage, as shown.
A Smart attacker can simply gather personal information of millions of AliExpress users just by using an automated script to crawl "mailingAddress.htm" page for all possible numbers between 1 to 99999999999 as "mailingAddressId" parameter value.
The vulnerability has been reported to AliExpress team and will soon be patched in coming hours, researcher indicated.