- 14 Mar 2002
- Reaction score
The level of incompetence and negligence displayed in launching the 7pay app is simply unbelievable. Chinese hackers had been compromising it from the first day of operation, stealing a total of 55m JPY! Accounts were hijacked, as third parties were able to have a new password generated and sent to an email account of their choice! There was no two-factor authentication (2fa) in place.
Hackers exploit 7-Eleven's poorly designed password reset function to make unwanted charges on 900 customers' accounts.
However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner. A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link to be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve. Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier, according to a report in Yahoo Japan. With so much data about Japanese users lying around the internet from the multitude of past breaches, a hacker only had to compile it and automate an attack.
The industry ministry on Friday told the operator of Seven-Eleven convenience stores in Japan its mobile payment service was not secure enough after customers were allegedly defrauded through unauthorized access, urging the company to submit preventive measures. One of two Chinese men arrested...