REMA1000 did not use any form of authentication on their customer database used by a loyalty program. They claim that this is nothing to worry about. I disagree. Identity theft, blackmail and potential surveillance are threats worth worrying about.

REMA1000, a Norwegian discount store chain, recently released a new customer loyalty program they named ‘Æ’. The letter ‘Æ’ is also the local word for ‘I’ in the Norwegian dialect in the area where Rema1000 is headquartered (Trondheim, the city where I live).

The way the loyalty system works, is that you install an app on your smartphone, and register your debit card in the app. Whenever you make a purchase they will register what you have bought, and you are offered a 10% discount on the 10 items you spend the most money on, as well as on all vegetables and fruits. Sounds like a sweet deal, right?

The problem is only that the app was launched without requiring any form of authentication between the app and the backend database. This is reported by the Norwegian newspaper Aftenposten.no today. The vulnerability would allow anyone to download customer data from their database, down to each item purchased, as well as key customer data such as phone mumbers and partial credit card numbers. The vulnerability was discovered by infosec professional Hallvared Nygård, who spoke to Stavanger Aftenblad about the issue (another Norwegian newspaper).

In a comment to Aftenposten, Rema1000 claims that they “take the situation seriously”, and accuse the security researcher of having obtained access to the information in an illegal way. They say customers have no reason to worry with regard to security with regard to the data they leave with the stores.

This attitude shows a lack of understanding of security risks from REMA1000. First of all, lack of authentication between frontend and backend in a web application is close to inexcusable. It would be disovered by any reasonable web app security scanner. Protecting database access through secure authentication is the core concept of web application security and should be taught in any introduction to secure development class at your nearest university. Even more worrisome is perhaps that REMA1000 claims customers have nothing to worry about. Identity theft, blackmail and surveillance is pretty serious stuff to worry about if you ask me.  On top of this, REMA1000 is seemingly looking to blame the security researcher for reporting the vulnerability.