WeChat Pay has been exposed to a loophole and you can buy it for $0! The vulnerability has now been fixed

There are no absolutes in this world at all. As they say, there is no gold, and no one is perfect.

If someone told you that you can now buy just about anything on certain e-commerce platforms without you having to spend a penny, would you believe them?

Now, a hacker has picked up a vulnerability in the official WeChat Pay SDK that Using this loophole to buy on many e-commerce platforms without paying anything is a live daydream come true!

The day before yesterday, a netizen published a serious vulnerability in the official WeChat Pay SDK (software tool development kit) in a foreign security community

this The vulnerability can lead to merchants Server compromised , once an attacker gains access to a merchant's critical security key, he or she can trick the merchant by sending a forged message without having to pay for anything.

WeChat Payments and Merchants

WeChat payment: which store are you?

Bakery: I am so-and-so bakery and my code name is ***

WeChat payment: did you generate the order?


WeChat Pay: I received $50, is that the right amount of money?

BAKERY: Right.

WeChat payment: yes then your order system hurry up and process it, people pay successfully.

BAKERY: Okay, that'll be taken care of.

This process is called "merchant callback interface", which means that all merchants who want to open WeChat Pay, whether online or offline, need to communicate with WeChat Pay through this interface, which has a set of standard definitions, such as order number, user information, price, etc. Finally, there is a signature to ensure the authenticity and reliability of the transaction between the two sides.

At this point, WeChat officials generally have an official SDK for the convenience of merchants to make it smoother and safer for each merchant to access WeChat Pay. Since the SDK development package exists on the servers of these merchants, the vulnerability of the development package, too, directly affects the security of the merchant's server.

If the vulnerability on top of the SDK is used to take control of the merchant's server, then there is a good chance that these order statuses, user information, and prices can be taken and tampered with by hackers.

The user also showed screenshots of how to use the exploit for buying and selling, with Vivo and Stranger being the ones who got hit.

Stranger's WeChat payment exploit process

VIVO's WeChat payment exploit process

Using this vulnerability, hackers can not only buy for $0, but also have the potential to upsell user information.

But the vulnerability was fixed by WeChat as soon as it was discovered!

In a response to the media, Tencent said,“ WeChat Pay technical security team has been the first to pay attention to and investigate, and at noon today on the official website of theSDK Vulnerabilities for updates, Fixed known security vulnerabilities, and in this Remind merchants to keep up to date。 Please feel free to use WeChat Pay。”

The vulnerability has been fixed, does it feel like you missed out on millions ha...

1、China will focus on solving the outstanding problems of online false information fraud and dumping of personal information
2、Shenyang Wisdom Valley Big Data Rational Entrepreneurship Lecture was successfully held in Shenyang Institute of Technology
3、Former White House tech advisor Frank Urteage blockchain will survive for a long time and will permeate every industry
4、June Korean drama Im most excited about Secretary Kim
5、The most B of unmanned is actually TA Komatsus driverless mining trucks have been in commercial use for 10 years

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送