Select Page

online shopping with a credit card

I start every morning reading through the Google News tech and business sections, and every morning there’s a new story about something Amazon/Walmart/Target/etc. Is doing to “win” the eCommerce War. Acquisitions, same day delivery, and new merchandising programs intermingle with reports of stock rises and crashes. But with this rapid rollout of features, are the biggest retailers more concerned with their customer experience or their shareholder experience? Features are being released prematurely to “win” the battle, but without the proper consideration of how they could be misused.

Winning the War is Half the Battle

Take Walmart.com as an example. Through their Rich Content API and third party Content Service Providers, it is possible to publish anything to your owned product page. There is no moderation, review, or sanitation of the content. Even if they were to add moderation or review to the program, at this time all videos and images are hosted by the content provider and not through Walmart’s own Content Distribution Network. So you could get an initial image approved through review, and then substitute it with something less appropriate where the file itself is hosted. It would be fairly simple to add tracking pixels to the page that would track visitors across domains or put up inappropriate content that Walmart wouldn’t want on their site.

Besides images and HTML, they also freely accept Javascript. On the surface, it makes sense to include Javascript, as it can be used to create more interactive experiences. For example, an interactive product tour that has hotspots that when clicked display more product information. In discovering this, I was very surprised as there are many ways Javascript could be used to nefariously manipulate a web page.

enhanced product content on Walmart.com

If you wanted to be nefarious, with only a few lines of code you could publish a Javascript cryptocurrency miner to run in the background. Imagine that—mining cryptocurrency from one of the most visited websites in the United States. This is theoretical, as it would be against their terms of service to actually test this, but I have been able to successfully publish Javascript to their website and there are no systems in place to sanitize or obfuscate it.

Less subtle would be to put a fake checkout form within the section. While it isn’t likely many people would fall for it, it could be done in a way that mimics Amazon’s One Click Checkout. With the increasing adoption of online shopping by less tech-savvy generations, it would be pretty simple to steal credit card information in this way.

use of Javascript on a Walmart.com product page

Customers First, Innovation Second

I am as far from resistant to change as there can be. That said I am not a hacker and I spotted these vulnerabilities in an hour. With hundreds of millions of monthly visitors, even a small and subtle exploit of this could be huge. I very much believe in the idea of good enough is better than perfect when it comes to releases in the tech sector, but they need to be done in a way that doesn’t leave consumers open to vulnerabilities. As I mentioned above simple steps like moderation and sanitization of the data could help protect the consumers they depend on, but it looks like they are more focused on moving as quickly as possible to appease investors and suppliers and create news stories.


Also published on Medium.