Recently, hackers exploited a flaw in 7-Eleven app and swindled over $500,000. Read on to know more about it…
Popular supermarket chain 7-Eleven has become the latest victim in a cyber attack. Hackers made use of a security vulnerability in 7-Eleven’s 7pay and stole around ¥55 million.
7-Eleven Inc. is a Japanese-American international chain of convenience stores. 7pay is a mobile payments app developed by 7-Eleven that was intended for its Japanese customers. It was launched on July 1, 2019.
What Went Wrong
Every time a customer needs to complete a payment, the mobile app displays a barcode on the phone, then the cashier scans the barcode and charges the bought products to the customer. Unfortunately, the password reset function was poorly designed allowing anyone to reset the password for other customers’ accounts, the attacker just needs to know the victim’s email address, date of birth, and phone number. “A credit card abuse incident has occurred with Seven Eleven’s smartphone payment “7pay”. Although the cause is not clear yet, it turned out that the specification has a big weakness.” reads a post published by Yahoo Japan.
“Knowing the email address, date of birth, and phone number, it turned out that a third party could change the 7pay 7-Eleven app password. Furthermore, because there is no second authentication such as SMS authentication, it is possible for a third party to take over.”
The presence of an additional field in the password reset feature allowed the attacker to request that the password reset link to be sent to the attacker’s email address, instead of the legitimate owner.
Several victims reported that they were locked out of 7pay accounts a day after it was released. In a media report, 7-Eleven acknowledged the account hijacking incident committed by attackers. The supermarket chain mentioned that around 900 7pay accounts were compromised with fraudulent payments made to the tune of ¥55 million.
“Currently, it has been confirmed that some accounts may be accessed by third parties.” reads the security advisory published by 7-Eleven.
“Therefore, we will stop charging with credit card and debit card until the security of the transaction is confirmed, cash charge at Seven Bank ATM, charge at nanaco points, Seven-Eleven storefront cash register We will only charge cash. We will inform you as soon as the prospect of reopening is reached. We deeply apologize to everyone for the great inconvenience and concern.”
Hackers exploited a security flaw in 7pay, a mobile payment app developed by 7-Eleven. This was done by making fraudulent payments from 7pay accounts of around 900 Japanese customers. The flaw, which was a faulty password reset function, could allow anyone to access 7pay accounts with password resets. Regarding the flawed password reset function, hackers who knew a user’s email address, date of birth and phone number, could send password reset links to their own email address subsequently leading to account takeovers.
In a media release, 7-Eleven mentioned that it immediately took action after the incident. “Currently, charges from credit cards and debit cards have been suspended, but Seven-Eleven storefront cash register at Seven Bank ATM, cash charges from ATMs and nanaco points will be suspended, and all charges will be suspended. In addition, we will stop the new registration of “7 pay (seven pay),” 7-Eleven reported.
7-Eleven has assured that it would compensate all victims from this incident. Furthermore, it has taken down the 7pay service for now.