Ahold-Delhaize and How Bug Reports Should Be Handled

3 minute read

Mirror of original article posted on Tuesday, 13 August, 2019 at Medium

When we were shopping for groceries in an AH store in the Netherlands after being on vacation in the northern part of the Netherlands, a kiosk system caught my eyes. I went to toy with it and found it granted access to the system itself, which I ended up reporting to Ahold-Delhaize.

During shopping for groceries in an AH store in the northern Netherlands, I noticed a Kiosk screen for alcoholic beverages. This system was at that time serving a blank page, and I noticed gray scroll bars on the screen. This caused my thought process to roll and I realized that it looked very much like an android tablet. Of course, I thought, as there was a camera visible above the screen. I had read online somewhere, either on Twitter or elsewhere, that there’s a nifty trick to exit these type of apps. So I tried a few methods out, these were tapping on the corners of the screen, and swiping right-to-left and left-to-right. Then a hamburger menu-like Android app menu opened up. This menu contained an exit button to go back to the Android Launcher. Thus I pressed the exit button, and got access to the Android Launcher. I was inspired to do this on this Android tablet by Daniel Verlaan of RTL Nieuws, who found a non-locked down system at a parking garage earlier this year.

Android on a parking garage tablet

Truth to be told, as a security researcher, I was hoping that it was locked down and that the launcher was not able to pop-up; therefore I was somewhat disappointed when the opposite was true and the launcher was able to pop-up. I therefore got the full confirmation that it was an Android tablet, later I checked what tablet it was and it apparently was a Lenovo tab 4 10, which runs on Android 7.1 or 7.1.1 on its latest firmware and receives no updates anymore. As the tablet had no other security locking, I checked if anyone had already installed an app. I saw Toto (a Dutch betting app) was installed and that the APK (Android Package Kit) file was stored on the Internal Storage of the tablet. In theory one could’ve installed malware or ransomware on the tablet, and thus lock further use out. The tablet’s laucher was as visible below:

tablet app launcher

After playing around, I tried opening chrome and went to ThugCrowd’s site, this was namely a thing the people in ThugCrowd’s chat were talking about, as there was an elevator at DEF CON in Las Vegas showing ThugCrowd’s site which is visible below. ThugCrowd had some Capture The Flag challenges over on their Twitter profile@thugcrowd, which you were able solve to get access to a secret chat of theirs, which I highly recommend.

ThugCrowd’s site on an elevator in Las Vegas

As you can see below, Chrome was not blocked out and one could browse the web with this tablet as well as download apps and such, as I mentioned before, I opened ThugCrowd’s website to demonstrate that you could browse the web on it.

ThugCrowd’s site I photographed in-store

As this system was vulnerable, had access to the camera, and apps were installable; one could practically make, and install, an app that runs in the background which takes photos of people walking nearby; this all without anyone noticing it.

I reported this to Ahold-Delhaize’s security team that same evening, they responded in less than one hour and promised to fix it in a few days, not detailing what the fix would be. On Monday the 12th of August 2019, late during the afternoon, they replied back to me saying they would remove the tablet; this because unsecured tablets in stores are not compliant with their security policies. In the same email they offered me a gift card of €50 for either Albert Heijn or bol.com, to which I responded I’d gladly take a gift card for bol.com. I asked if it was okay to make this post and they green-lighted it.

This is to me an example of how security vulnerabilities should be handled, and I would like to give a big thumbs up to Ahold-Delhaize’s security team for picking this up so fast and fixing this matter in a few days. As this was my very first actual vulnerability, I’m actually really content with the outcome. And would like to see more companies handling it as properly as Ahold-Delhaize did.