7-Eleven Japan recently shut down their new payment application at its convenience store, 7Pay, just 2 days after its launch. It was reported that the app had a security flaw, and hackers were able to access 900 customer accounts, and customers lost a total of US$510,000 collectively.
Amit Sethi, Senior Principal Consultant at Synopsys, said, “A simple application penetration test performed by a security expert would have found this issue. While penetration tests on their own are not sufficient for building secure applications, they are essential for ensuring that trivially exploitable flaws like this are discovered before launch. Attackers that compromised user accounts now have access to the users’ e-mail addresses, phone numbers and potentially birthdates. Additionally, they might also have seen the users’ previous transactions and other potentially sensitive information. The attackers may use this information in the future to target the users with highly convincing phishing attacks.”
According to Laurie Mercer, Sales Engineer, EMEA, HackerOne, “This vulnerability allows anyone with my name and date of birth to reset my password to a password of their choice, and compromise my account. This sort of vulnerability can be easily detected by a human tester. It is therefore surprising that this vulnerability was not detected earlier. Recent experience at HackerOne shows that when incentivised with a modest bounty – hackers can find loopholes like this in under 4 minutes.”