UK retail giant Asda has played down reports that a persistent security flaw in the firm's website, first reported almost two years ago, gave hackers the ability to scoop up customers' personal account information and payment details.
The vulnerability was reported by information security consultant Paul Moore in March 2014, and could reportedly be exploited to "quickly and effectively" collect usernames, email addresses and bank card details.
The US-owned retail firm processes over 200,000 online orders a week and could have put more than 19 million transactions at risk, although there is no suggestion that any data has been taken.
Despite this Moore claims that despite making the firm aware of the issue almost two years ago Asda failed to react.
"Back in March 2014 I contacted Asda to report several security vulnerabilities and, despite a fix promised 'in the next few weeks', little appears to have changed," said Moore when outlining his findings this week.
"All that's required for this exploit to be successful is for you to be signed in and browsing the web. If, at the end of your shop, you search for a voucher or discount code and that website contains [a] malicious payload you could lose your card details," he explained.
"ASDA/Walmart have had ample opportunity to fix these issues and have failed to do so."
The researcher said that the website was vulnerable to common web flaws including cross-site request forgery (CSRF) and cross-site scripting (XSS).
"CSRF exploits the trust a site has in the user's browser, allowing an attacker to issue requests on your behalf and from your own PC. XSS allows an attacker to embed malicious content into the page to alter anything and everything the user can see," Moore told the BBC.
However, Asda said it has now made a number of changes to strengthen its website security, and that there is no evidence of any customer records being compromised by the exploit.
An Asda spokesperson told V3: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website."
V3 asked when these changes were made and if they were a direct result of Moore's blog but had received no reply at the time of publication.
Despite this Ross Brewer, managing director for international markets at security firm LogRhythm, said it was "unacceptable" that the situation had been allowed to go on for so long.
"These vulnerabilities could have long-term consequences for Asda and its customers. While the risk may be small, the fact is it was still there and had been for years at the full knowledge of the company.
"As we've seen from recent attacks, such as on TalkTalk, consumers are taking the protection of their data increasingly seriously, so I'd expect Asda to have some very concerned customers following this news."
Windows 10 Chinese Government Edition completed by Microsoft
And even when IoT projects do get completed, one-third aren't considered a success
So, the Frontier Edition launches at the end of June, the Radeon RX Vega in July - and the Ryzen 3 straight after?
From accidentally selling sensitive data on eBay, to forgetting that security solutions needs to be 'on' to work, we've got the full rundown of the worst security gaffes ever