Home > News content

0 yuan can buy, buy, buy WeChat, pay official SDK has been exposed to serious loopholes.

via:博客园     time:2018/7/3 22:53:13     readed:542

By the beginning of the month, have you paid the bill for your flower bill?

If someone told you, now you don't need to spend a penny, you can buy on some business platform, will you believe it?

Well, I know you are smart, you won't believe in the sky.

So what if this person is a hacker?

In July 3rd, according to the news of the white hat Exchange Security Institute, a net friend published a serious flaw in WeChat's official SDK (software tool development package) in a foreign security community that could lead to a merchant server being invaded, once a key security key (such as md5-key and merchant-Id) was obtained by an attacker. He can deceive businesses by sending fake information without paying for anything.


When using WeChat payment, businesses need to provide notification URLs to accept asynchronous payment results. The problem is that WeChat has a xxE vulnerability in the implementation of JAVA version SDK. Attackers can construct malicious payload to notify URL, and steal any information of merchant servers as required.

In other words, hackers use WeChat to pay for this loophole to achieve a buy and sell situation of 0 yuan.

This is not to say, the netizen also directly threw out two pictures, showing the process of loophole utilization, the recruit is vivo and unfamiliar street.


The process of utilization of WeChat's payment vulnerability


Vivo's WeChat payment vulnerability utilization process

It is noteworthy that the details of the current vulnerabilities and the mode of attack have been open, and security personnel recommend using the JAVA language SDK (software development kit) to develop WeChat payment functions to quickly check and fix it. (explained here, WeChat has officially released its own WeChat payment development package, and many developers choose to use the latest official version. Generally speaking, SDK is distinguished by the programming language. If the site uses the same language, then its development uses the same language. But there is also a special case, that is, the use of open source or self development is relatively small without using the official development kit.

So, who on earth can use the WeChat Pay's official SDK? What's the range? Why did hackers choose Momo and vivo? How will businesses and users be affected? Why don't hackers who know this vulnerability don't do it themselves?

Who will use the SDK paid by WeChat

At the beginning of the article, this vulnerability is about the official SDK of WeChat payment. Who will use such SDK?

White hat remittance security directo

For example, when we usually use WeChat to pay, there will be a two-dimensional code for payment, or there will be a WeChat payment channel when shopping online. This requires businessmen to establish an exclusive channel with WeChat payment. Take you to buy bread, for example, in the moment you sweep the code, WeChat payment and business dialogue is like this:

WeChat payment: which shop are you?

Bakery: I am a bakery, my codename is * * * *

WeChat payment: is the order generated by you?

Baker: Yes.

WeChat payment: I received 50 yuan, the amount of money, right?

Baker: Yes.

WeChat payment: Yes, if your order system is hastened to handle, the payment is successful.

Baker: OK, that's the way to deal with it.

This process is called

At this time, WeChat official will have an official SDK in order to facilitate the business, which makes all businesses more smooth and safe to access WeChat. At this time, the SDK development package exists on the servers of these merchants. At the same time, the vulnerability of the development package will directly affect the security of the merchant server.

If one day, a hacker uses a vulnerability above the SDK to control the merchant's server, the order status, user information and prices are likely to be taken away by hackers and tampered.

According to BaCde, because WeChat's official SDK has a problem, all of the WeChat payment functions that are based on the WeChat payment JAVA SDK are likely to be affected.

Why did the hacker choose the unfamiliar street and vivo to operate? It sounds that these two are mobile phone manufacturers, one is social software, and we usually brush two-dimensional code or online shopping of a certain businessman is still different.

BaCde explains that vivo may be vivo's online shopping mall, for example, hackers can use WeChat to pay for things that do not cost a penny to buy an online shopping mall. For unfamiliar street, it may be because it can recharge members through WeChat payment, and there are loopholes to make use of.

So maybe this attacker is a single dog who uses vivo mobile phone regularly?

Merchants, users and hackers

If you are a business, what impact will you have?

Take the online business city business as an example, if the language you use is JAVA (the current vulnerability is JAVA), the first step to access WeChat's payment function is to find the SDK development package of the JAVA language on the official website of WeChat, when developers write non standard and develop a vulnerable WeChat payment function, hacker After discovery, we can steal information from merchants, and then forge network requests for 0 yuan purchase of goods, and access to data information.

Here is to emphasize that, although the developer here is the developer of the merchant, the basic reason is that the SDK paid by WeChat has security problems in a certain place, so it is necessary to solve the loophole and to solve it from the official SDK.

What if I'm an ordinary user?

The most direct impact is that your user information in the background of the business has been exposed, and hackers can get this information to sell on the dark Internet. Then, you become the victim of spam.

For hackers, through this loophole, not only can buy and buy 0 yuan, but also can earn a profit by reselling user information.

Vulnerability impact

Lei Feng network found that at present, the stranger and vivo have repaired the relevant loopholes, but for the vulnerability, WeChat officials did not release related security announcements, nor updated the WeChat version of the SDK payment.

That is to say, all the merchants who use WeChat to pay official SDK, and the language is JAVA, are still at risk of being attacked.

Since the official WeChat has not been repaired, how did the unfamiliar street and vivo repair?

BaCde explains that the unfamiliar street and vivo itself have corresponding security capabilities. They can modify the corresponding code of SDK to repair and solve it by themselves. But if there are some small businesses, there is no such ability.

It is learnt that although the current vulnerability affects the JAVA version of SDK, there has been a similar flaw in the history of PHP version SDK. According to BaCde, the vulnerability is a vulnerability to the external entity of the XML, that is, when it is allowed to quote external entities, by constructing malicious content, it can lead to reading arbitrary files, executing system commands, detecting intranet ports, attacking intranet sites and so on.

For attackers, such a good opportunity to make money, it is good to make a big noise. Why should we choose open attack?

According to Zhao Wu, founder of white hat, it is very unusual to directly open this level of killer. The reason why he does it does not exclude that the hacker can find out the trace in the process of using the loophole, so it is possible to find out, so that the majority of hacker groups will launch an attack so as to inundate themselves most. The initial attack, to hide its own effect.

It is worth noting that although the article on the foreign website is in English, its technicians use the punctuation mark in Chinese, which is likely to be the details of the attack by a domestic technician to pretend to be a foreigner.


The Tencent has been aware of the loopholes

At present, Lei Feng network found that the vulnerability in tweet also has security personnel, the brother may not know the Tencent security little brother, direct @360 to search for people, and then 360 loopholes to the Tencent people, authenticated as Tencent security response center in tweet undertook a reply, indicating that is being Handle.


China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments