The day before yesterday, a netizen published a serious vulnerability in the official WeChat Pay SDK (software tool development kit) in a foreign security community
this The vulnerability can lead to merchants Server compromised , once an attacker gains access to a merchant's critical security key, he or she can trick the merchant by sending a forged message without having to pay for anything.
WeChat Payments and Merchants
WeChat payment: which store are you?
Bakery: I am so-and-so bakery and my code name is ***
WeChat payment: did you generate the order?
WeChat Pay: I received $50, is that the right amount of money?
WeChat payment: yes then your order system hurry up and process it, people pay successfully.
BAKERY: Okay, that'll be taken care of.
This process is called "merchant callback interface", which means that all merchants who want to open WeChat Pay, whether online or offline, need to communicate with WeChat Pay through this interface, which has a set of standard definitions, such as order number, user information, price, etc. Finally, there is a signature to ensure the authenticity and reliability of the transaction between the two sides.