Tenable flags up Instacart security flaw amid coronavirus crisis

Tenable says that it recently discovered a vulnerability in grocery delivery and pick-up service Instacart, allowing bad actors to send malicious links via SMS text. 

When ordering from the venture on the web, users are texted a link prompting them to download the Instacart app. Tenable Research found that attackers could use this feature to send messages from the Instacart service itself to arbitrary phone numbers, making consumers unaware that they were potentially clicking on a fraudulent link. 

From there, the attacker could send spoofed messages to any phone number – whether an Instacart user or not – with a link of their choice, all while pretending to be Instacart. Tenable Principal Research Engineer Jimi Sebree discovered the vulnerability while ordering dog food during the coronavirus outbreak. 

Responding to a 150% spike in demand following US-wide shelter-in-place orders, Instacart announced plans to hire 250,000 additional new shoppers within the next month. It swiftly patched the aforementioned vulnerability in near record time for Tenable disclosures (four days).

You can find further details here.

Sign up for our free retail technology newsletter here.