Alipay - One Click Checkout: Should We Worry?
Aliexpress is one of the most popular marketplaces, opening the world of Chinese goods to buyers from anywhere in the world. A small digression about Alipay in order to consider the problem found in the security system.
Alipay (Alibaba's company) is a payment service that is very popular in China and is slowly beginning to spread around the world. In China, Alipay is used in very many places and services, in other countries, Alipay is currently used only for paying for Aliexpress (also Alibaba’s company). Currently, Alipay allows users to save a credit card and, when you make a purchase on Aliexpress, use a saved credit card to pay without actually entering its data.
Now that we know a little about the Alipay service, we can use it on Aliexpress. When registering on Alipay, we create a password, as in every normal registration process. While using the service for payment, Alipay will ask you to enter a password to enter the system, but here’s an interesting thing.
')
If you made a purchase through the Aliexpress mobile app when you are at home (and most buyers make purchases from home), the app on your smartphone or tablet will mark your home network (WiFi) as safe and will not ask you for a password on subsequent purchases! So it will be until you make a purchase from another network.
The representatives of Aliexpress and Alipay technical support confirmed this and told me that this would be done as part of the One Click Checkout feature to make payment even easier for users.
Here is a landing page that explains the One Click Checkout process: http://activities.aliexpress.com/oneclickcheckout.php
All this makes me think about the security of the Alipay service, especially in three cases. The first two are two different options, but the result is the same.
Option number 1: Imagine you lost your phone (without any blocking), could someone, having found it, use your credit card to buy something?
Option number 2: The same applies to the option in which someone stole your phone (also without a lock);
Option number 3: You want to fool Aliexpress and Alipay. Make orders and state that they were not you.
I decided to check each option. If I were the one who uses the found / stolen phone to use someone’s credit card to buy things, I need:
The first is to be connected to the network, which the mobile application Aliexpress remembered as secure. It's simple - all you need to do is find out the address of the real owner of the phone. I checked: the Aliexpress application has the owner's address and access to it of course without any protection! Now you just need to be close enough to the wireless network in the owner’s house / apartment and - yes! The phone automatically connects to the owner's router.
Second, I need to be able to change the address. Easy: go to Aliexpress application> My Aliexpress> My profile> shipping addresses> Add a new address. Done! No protection at all!
That is, it is not necessary to strain hard, to crack something, everything is already available.
Now about the third option: could I cheat and deceive Aliexpress / Alipay?
Of course, we know that this is possible: now I can make orders on my own, for this we need an address that has nothing to do with me (another name, surname, address, perhaps in another city or in another country). Any friend's address will do. Now I will place orders a couple of times a day for a period of time for small amounts of $ 100 - $ 200, so as not to fall on the radars of Alipay and the bank that issued the credit card.
After I made a certain number of orders and they were sent by sellers, I can contact the support of Aliexpress / Alipay and state that the orders were not made by me, and the money itself was stolen, and all this because of vulnerability, which can be used so easily.
Moreover, I can go to the police and declare that my phone has been stolen and provide Alipay with a statement as evidence.
After checking everything, I tried to contact technical support Aliexpress / Alipay to report this vulnerability, and received the following response:
Consider:
1. The user must log into your account to make a payment. Check - application Aliexpress remains in the account forever after the owner has logged in. It will not help us.
2. Aliexpress / Alipay checks every payment: if there is something wrong with the data, we will request a password and other data. Checking - Aliexpress / Alipei refused to clarify what they check from a security point of view, but as we have seen, Aliexpress / Alipei cannot really know whether the orders were made by the owner of the phone or not. These measures will not save either.
3. And finally, 100% compensation! Aliexpress generously promises compensation in case something happens.
“And besides, paying without a password is much faster and easier, enjoy,” they advised me. It seems so logical - they simply did not think that it would be as easy and quick for an attacker to do.
And one last tip from tech support: if you're still worried, just delete your credit card details! What? Somehow does not inspire confidence. Shouldn't the system be safe and secure?
Vulnerability is very simple. It seems that each development team relied on others, and ultimately the whole process is vulnerable! I hope that Aliexpress / Alipay will fix this vulnerability as soon as possible! It is too easy to leave as is! I tried to contact the support of Aliexpress / Alipay many times to show this vulnerability, but I always received the same answer: do not worry, everything is under control. No one wants to listen and remove this vulnerability.
It could have been finished here, but I decided to dig a little more.
After I explored the new fitchets Aliexpress, I found an additional vulnerability on the site. If someone has a phone with the Aliexpress application, he can log in to the account quite easily on the site as well. All thanks to the new authorization process via the QR code located on the entrance page on Aliexpress.
Pay attention to the QR sign in the corner of the login page.
All that is needed is to click on the QR code, scan it through the Aliexpress application and confirm. This will allow you to log in to your account without a password. Here you can see all the user data, from here you can log in to Alipei account! Of course, you cannot see the credit card details, but you can see almost everything.
My recommendation to all Aliexpress / Alipay users: if you use the application and your credit card information is stored in this service, put a lock on your phone (this is important for the general security of your personal data) and be sure to enter your Alipay phone number in order to Receive alerts about purchases and payments: so you will know if something happens.
Or do what Alipay’s support offers: if you’re still worried about security, remove the credit card from the Alipay service.
Alipay (Alibaba's company) is a payment service that is very popular in China and is slowly beginning to spread around the world. In China, Alipay is used in very many places and services, in other countries, Alipay is currently used only for paying for Aliexpress (also Alibaba’s company). Currently, Alipay allows users to save a credit card and, when you make a purchase on Aliexpress, use a saved credit card to pay without actually entering its data.
Now that we know a little about the Alipay service, we can use it on Aliexpress. When registering on Alipay, we create a password, as in every normal registration process. While using the service for payment, Alipay will ask you to enter a password to enter the system, but here’s an interesting thing.
')
If you made a purchase through the Aliexpress mobile app when you are at home (and most buyers make purchases from home), the app on your smartphone or tablet will mark your home network (WiFi) as safe and will not ask you for a password on subsequent purchases! So it will be until you make a purchase from another network.
The representatives of Aliexpress and Alipay technical support confirmed this and told me that this would be done as part of the One Click Checkout feature to make payment even easier for users.
Here is a landing page that explains the One Click Checkout process: http://activities.aliexpress.com/oneclickcheckout.php
Screenshot
All this makes me think about the security of the Alipay service, especially in three cases. The first two are two different options, but the result is the same.
Option number 1: Imagine you lost your phone (without any blocking), could someone, having found it, use your credit card to buy something?
Option number 2: The same applies to the option in which someone stole your phone (also without a lock);
Option number 3: You want to fool Aliexpress and Alipay. Make orders and state that they were not you.
I decided to check each option. If I were the one who uses the found / stolen phone to use someone’s credit card to buy things, I need:
The first is to be connected to the network, which the mobile application Aliexpress remembered as secure. It's simple - all you need to do is find out the address of the real owner of the phone. I checked: the Aliexpress application has the owner's address and access to it of course without any protection! Now you just need to be close enough to the wireless network in the owner’s house / apartment and - yes! The phone automatically connects to the owner's router.
Second, I need to be able to change the address. Easy: go to Aliexpress application> My Aliexpress> My profile> shipping addresses> Add a new address. Done! No protection at all!
That is, it is not necessary to strain hard, to crack something, everything is already available.
Now about the third option: could I cheat and deceive Aliexpress / Alipay?
Of course, we know that this is possible: now I can make orders on my own, for this we need an address that has nothing to do with me (another name, surname, address, perhaps in another city or in another country). Any friend's address will do. Now I will place orders a couple of times a day for a period of time for small amounts of $ 100 - $ 200, so as not to fall on the radars of Alipay and the bank that issued the credit card.
After I made a certain number of orders and they were sent by sellers, I can contact the support of Aliexpress / Alipay and state that the orders were not made by me, and the money itself was stolen, and all this because of vulnerability, which can be used so easily.
Moreover, I can go to the police and declare that my phone has been stolen and provide Alipay with a statement as evidence.
After checking everything, I tried to contact technical support Aliexpress / Alipay to report this vulnerability, and received the following response:
Consider:
1. The user must log into your account to make a payment. Check - application Aliexpress remains in the account forever after the owner has logged in. It will not help us.
2. Aliexpress / Alipay checks every payment: if there is something wrong with the data, we will request a password and other data. Checking - Aliexpress / Alipei refused to clarify what they check from a security point of view, but as we have seen, Aliexpress / Alipei cannot really know whether the orders were made by the owner of the phone or not. These measures will not save either.
3. And finally, 100% compensation! Aliexpress generously promises compensation in case something happens.
“And besides, paying without a password is much faster and easier, enjoy,” they advised me. It seems so logical - they simply did not think that it would be as easy and quick for an attacker to do.
And one last tip from tech support: if you're still worried, just delete your credit card details! What? Somehow does not inspire confidence. Shouldn't the system be safe and secure?
Summarize
Vulnerability is very simple. It seems that each development team relied on others, and ultimately the whole process is vulnerable! I hope that Aliexpress / Alipay will fix this vulnerability as soon as possible! It is too easy to leave as is! I tried to contact the support of Aliexpress / Alipay many times to show this vulnerability, but I always received the same answer: do not worry, everything is under control. No one wants to listen and remove this vulnerability.
It could have been finished here, but I decided to dig a little more.
After I explored the new fitchets Aliexpress, I found an additional vulnerability on the site. If someone has a phone with the Aliexpress application, he can log in to the account quite easily on the site as well. All thanks to the new authorization process via the QR code located on the entrance page on Aliexpress.
Pay attention to the QR sign in the corner of the login page.
All that is needed is to click on the QR code, scan it through the Aliexpress application and confirm. This will allow you to log in to your account without a password. Here you can see all the user data, from here you can log in to Alipei account! Of course, you cannot see the credit card details, but you can see almost everything.
Finally, to summarize
My recommendation to all Aliexpress / Alipay users: if you use the application and your credit card information is stored in this service, put a lock on your phone (this is important for the general security of your personal data) and be sure to enter your Alipay phone number in order to Receive alerts about purchases and payments: so you will know if something happens.
Or do what Alipay’s support offers: if you’re still worried about security, remove the credit card from the Alipay service.
Source: https://habr.com/ru/post/280011/
All Articles