Basic security fail spotted by Reg reader let anyone divert parcel deliveries
Catalogue store Argos has changed shop passwords for its drop-off store facility after a Reg reader inadvertently discovered staff relied on weak in-store access credentials to service orders.
The reader – who asked not to be named – came across the issue when she went to send two eBay parcels via the Argos drop-off system.
An assistant used a notebook with an easily-guessable username and password to access the system and left those credentials in plain view of anyone who happened to be nearby.
Shoulder-surfing the password as the assistant typed it into a terminal would also have been possible, our tipster told us.
The login credentials – which, we understand, gave access to the Argos user-delivery network but not the catalogue shop’s main stock distribution – featured a mash-up of the username with a leading capital combined with the store’s internal ID as a password.
This means that passwords were something like Argossstore123 in complexity.
“The store numbers are published on their website, and which stores offer this service are also listed,” our tipster explains.
Sure enough, she was able to access a second store’s parcel listings using the same formula.
“I can add, edit and delete any and all shipments (so presumably I could divert them somewhere prior to pickup from the shop), see the complete recipient’s name, address, the contact phone number etc., and I appear to have the option to change each account’s password as well,” she said.
The tipster passed on her find to El Reg. We passed on the find to Argos, which responded promptly and professionally by looking into the issue and by rolling out a change to in-store passwords once the security slip-up was confirmed.
In a statement, the UK high street catalogue store also promised to educate staff about password security issues raised by the incident.
We appreciate [name of tipster] bringing to our attention the issue relating to Drop-off in our Malvern store. We apologise for any inconvenience caused.
We take matters of this nature extremely seriously. We have since investigated this specific issue and taken immediate action.
As a precautionary measure, passwords in all 150 Drop-off stores have now been changed.
Training procedures have also been reaffirmed to all store staff.
We will continue to monitor the situation.
Argos is a subsidiary of Home Retail Group, which operates more than 750 stores in the UK and Ireland.
The catalogue retailer is a fixture of the UK high street retail scene as well as running a successful online shop. ®
Sponsored: Global DDoS threat landscape report