Most people are familiar with the online shopping process, it sounds much like an in-store experience. Select your items, add them to your cart and head to the checkout when you are finished browsing and ready to purchase your items. But it’s not that simple online.

There is a crucial point during the online transaction when the shopper enters their personal information and credit card details in order to complete the transaction. This is the point where they become vulnerable because they can never be sure that information is being transmitted securely and ending up in the right hands.
Wandera researchers have discovered multiple data leaks coming through the Android and iOS mobile apps of LightInTheBox. This global online retailer is listed on the New York Stock Exchange and has between one and five million users, so the impact of this vulnerability is immense.
Download the LightInTheBox Threat Advisory

How does it happen?

The LightInTheBox apps expose sensitive personal data of the user when they log in and check out. Specifically, the apps use plaintext when sending user data over the network, including login credentials and mailing addresses. This results in information being transferred over an insecure connection, exposing it to any attacker or third-party observer on the network.
In addition, LightInTheBox’s mobile apps have been found to use encryption and decryption algorithms that have the associated session keys hard-coded in the app. This can result in credit card details being decrypted by an attacker.

What’s being exposed?

PII that is exposed during a password change event on the mobile apps includes:

  • Old Password
  • New Password
  • Country

PII that is exposed during the check-out process on both Android and iOS apps includes:

  • First name,
  • Last name
  • Address
  • City
  • Postal Code
  • State
  • Country
  • Phone Number

PII that is exposed during the payment process on the mobile apps includes:

  • Credit Card Number
  • Credit Card Card Expiration Date (Month, Year)
  • CVV / Security Code

What can I do?

Avoid using the apps over public and potentially insecure Wi-Fi hotspots in order to minimize the risk of traffic interception.
Users should have an active mobile security service deployed to monitor for data leaks.
[text-blocks id=”threat-advisories”]