Xiaomi fixes bugs in its mobile payment mechanism


New Delhi, Aug 12 (IANS): Global smartphone player Xiaomi has fixed some bugs that were identified in its mobile payment mechanism by cyber security researchers, Check Point Research (CPR) said on Friday.

Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages, and an unprivileged Android app could have created and signed a fake payment package.

The cyber-security researchers disclosed its findings to Xiaomi, which acknowledged and issued immediate fixes for the bugs.

"We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application," said Slava Makkaveev, security researcher at Check Point.

Over 1 billion users could have been affected by the bugs, if left unpatched.

"We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues," Makkaveev added.

The cyber-security company immediately disclosed the findings to Xiaomi, which "worked swiftly to issue a fix".

The devices studied by CPR were powered by MediaTek chips.

The team detailed two ways to attack the trusted code.

"First, from an unprivileged Android app, where the user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money," said the CPR team.

Second, if the attacker has the target devices in their hands.

"The attacker roots the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application," it added.

 

  

Top Stories


Leave a Comment

Title: Xiaomi fixes bugs in its mobile payment mechanism



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.