There’s just something about the holiday season and Target that leaves customers’ personal information open for the taking. Two years after the retailer suffered a massive data breach affecting more than 100 million customers, another – albeit smaller – security flaw in the company’s mobile app has left the emails and phone numbers for some users vulnerable. 

Customers who created wish lists through the Target app have unwittingly made their addresses, phone numbers, and other personal information open to unauthorized access, thanks to a flaw in the feature, researchers from security firm Avast reported in a blog on Tuesday.

Avast discovered the flaw while examining the security and privacy levels of various mobile apps.

“If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from,” researchers said in the post. “The Target app keeps a database of users’ wish lists, names, addresses, and email addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!”

According to researchers, the flaw is a result of the app’s Application Program Interface (API) being easily accessible over the Internet. Once someone figures out how a user ID is generated they can access a file that contains email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.

A spokesperson for Target tells CNET that the company disabled elements of its wish list app on Tuesday evening.

“We apologize for any challenges guests may be facing while trying to access their registry,” Molly Snyder, a communications manager at Target, said in a statement. “Our teams are working diligently overnight to resume full functionality.”

It’s unclear how many customers were using the wish list feature.

In addition to finding Target’s wish-list app vulnerability, researchers with Avast found other major retailers’ shopping apps lack in security and privacy protections. For example, Walgreen’s app asks for permissions that have little to do with the purpose of the feature.

A spokesperson for Walgreens says that the company, along with its security teams regularly review and validate permissions required for its mobile applications, as they may change and vary over time as we provide new features and functionality.

“All permissions associated with our app have, in fact, been implemented to provide the services we currently make available to our customers,” the rep said.

Target back on naughty list with another security vulnerability [CNET]
Retailer’s apps reveal your Christmas list to the public [Avast]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.