Xiaomi fixes a bug in its mobile payment mechanism

Left unattended, an attacker could steal WeChat Pay controls and private keys used to sign payment packages, and an unprivileged Android app could create and sign fake payment packages.

Cyber-security researchers disclosed their findings to Xiaomi, which acknowledged and released an immediate fix for the bug.

“We have discovered a set of vulnerabilities that could allow payment packages to be created or payment systems to be directly disabled,” said Check Point security researcher Slava Makaviev.

If not patched, more than 1 billion users could have been affected by the bug.

“We were able to hack WeChat Pay and implement a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications for security issues are being reviewed,” Makaviev said.

The cyber-security company immediately disclosed the findings to Xiaomi, which “acted swiftly to issue a fix”.

The devices studied by CPR were powered by MediaTek chips.

The team described two ways to attack trusted code.

“First, from an unprivileged Android app, where the user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money,” the CPR team said.

Second, if the attacker has target equipment in his hands.

“The attacker rooted the device, then downgraded the trust environment, and then ran code to create a fake payment package without any applications,” it added.

Disclaimer: This story is auto-aggregated by a computer program and is not created or edited by FreshersLIVE.Publisher : IANS-media

Leave a Comment

Your email address will not be published.