7-Eleven customers in Japan have lost 55 million Yen (£405,000) through an app flaw that allowed hackers to easily gain access to their accounts.
900 customers were exploited through their 7pay accounts, when hackers used the app to make fraudulent charges using their details.
Exploiting a flaw in the app’s design, the hackers struck around a day after the app was released (1st July), when users began to notice problems with their accounts.
It wasn’t until around a day after that (3rd July), that 7pay shut down the account. New customers are currently not being accepted.
Hacking the 7pay app
The app was hoped to be used as a cashless payment system, working through smartphones.
Customers used a barcode on the screen to pay for their 7-Eleven goods through their 7pay account where bank details had previously been saved.
The problem occurred through the password reset function. It was designed so that anybody could request a reset for the password to the app, it didn’t even have to be the app owner.
The password reset would then be sent to the email of the person who had requested it and from there it could be easily changed. Under the control of the hacker, the new details could simply be passed on to a third party.
To access the account, the hacker only needed to know the person’s date of birth, phone number, and email – all things which are easy enough to find through the web.
A report by Yahoo Japan said that if the user had decided not to enter a date of birth, the app entered a default date of 1st January 2019, which again, made it easier for hackers to enter details.
Hacking the 7-Eleven 7pay accounts for the attackers became even more straightforward as getting these details means that they didn’t have to use a HTTP request or use app codes, which hackers often have to do to get details.
One user on Twitter, commented: “Even if the password reset is done, the session while logged in cannot be closed, so the user may not notice that they are attacked.”
The security of 7-Eleven 7pay app
Commenting on the security of the app, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb said: “Such a flagrant password reset vulnerability notoriously stands out among common security flaws. However, the vast majority of modern e-commerce websites and mobile apps do have critical vulnerabilities allowing the take over clients’ accounts, the stealing of funds or access to sensitive data from other accounts. Unlike the omnipresent XSS and less widespread injections, such vulnerabilities may be related to poor application business logic or require quite sophisticated chained exploitation of several flaws.”
He continued: “For that reason, very few of them are detectable with automated vulnerability scanning technologies that are so often selected by companies for their cheapest price. Ultimately, such a false economy leads to larger losses, not just monetary but reputational, let alone legal ramifications and concomitant costs.”
Kolochenko also said that people should be wary when it comes to giving out details that involve financial information. He said, “Customers should avoid entrusting large sums of money or credit cards to any websites or apps unless they are certain that the company thoughtfully invests in its application security and privacy. Companies on their side should implement continuous monitoring of all their external applications (including APIs) and consider enhancing automated monitoring with AI or human competence.”
Two Chinese men have been arrested in Tokyo after they were caught buying cigarettes using another person’s 7pay account. It is unsure if they are connected to the larger hacking crime.
7pay has promised to compensate all users who had money taken from them.