Argos blames developers, not XSS, for website bug

The website of UK catalogue retailer Argos was hit by a bug on Friday, where a pop-up window appeared with a customised message saying ‘hello', causing some shoppers to leave the site. 

The retailer's owner, Home Retail Group, has told SCMagazineUK.com it was pre-production code accidentally released on the site, rather than a cross-site scripting (XSS) vulnerability.

“We can confirm that this screenshot was not caused by an XSS vulnerability, and was due to an accidental release of pre-production code onto our website,” the company said in a statement. “This error occurred for a short period of time, was rectified quickly and at no point was any customer data compromised. We would like to apologise to customers for any inconvenience caused.”

“Some customers may have encountered an interrupted shopping journey for about an hour on Friday morning.”

Argos is no stranger to web attacks, with security researchers reporting XSS faults on XSSposed down the years. Most recently, security researcher Robin Bradshaw, known online as ‘en4rab', reported a XSS vulnerability on argos.co.uk (the site had two vulnerabilities in total) on 14 February 2015. The vulnerability was patched on 17 February. The retail company was apparently hit by similar flaws in 2012 and 2007.