New Delhi, Aug 12 : The world’s largest smartphone manufacturer Xiaomi has fixed a few bugs that were discovered in its mobile payments system by security experts, Check Point Research (CPR) confirmed on Friday.If left unpatched, a hacker could take the private keys that authenticate Wechat Pay control and payment packages.
Also, an unprivileged Android application could have signed and created an unauthentic payment package.
The cyber-security researchers reported their findings to Xiaomi who acknowledged the findings and immediately issued fixes for the bugs.
“We discovered a series of vulnerabilities that could permit the forging of payment packages, or disable the payment system completely, via an unprivileged Android application,” said Slava Makkaveev Security researcher at Check Point.
More than 1 billion users could be affected by the bugs if they were not fixed.
“We were capable of hacking into WeChat Pay and implemented a fully functional proof of the concept.This is the first time that Xiaomi’s reputable applications are being analyzed for security concerns,” Makkaveev added.
The cyber-security company immediately revealed the results to Xiaomi and Xiaomi “worked quickly to implement a fix”.
The devices that were studied by CPR were powered by MediaTek chips.
The team outlined two ways to hack the code that is trusted.
“First it is from an unprivileged Android application which is installed by the user.
The user then installs a malicious app and then launches it.The application extracts the keys and sends out a fake payment card to get the funds,” said the CPR team.
Second, if the person who is attacking has the devices of the target in their possession.
“The attacker root the device, and then lowers the trust level, executes the application to create a fake credit card card without an application” it said.
na/
