Article count:16428 Read by:87919360

Hottest Technical Articles
Exclusive: A senior executive of NetEase Games was taken away for investigation due to corruption
OPPO is going global, and moving forward
It is reported that Xiaohongshu is testing to directly direct traffic to personal WeChat; Luckin Coffee is reported to enter the US and hit Starbucks with $2, but the official declined to comment; It is reported that JD Pay will be connected to Taobao and Tmall丨E-commerce Morning News
Yu Kai of Horizon Robotics stands at the historical crossroads of China's intelligent driving
Lei Jun: Don't be superstitious about BBA, domestic brands are rising in an all-round way; Big V angrily criticized Porsche 4S store recall "sexy operation": brainless and illegal; Renault returns to China and is building a research and development team
A single sentence from an overseas blogger caused an overseas product to become scrapped instantly. This is a painful lesson. Amazon, Walmart, etc. began to implement a no-return and refund policy. A "civil war" broke out between Temu's semi-hosted and fully-hosted services.
Tmall 3C home appliances double 11 explosion: brands and platforms rush to
Shareholders reveal the inside story of Huayun Data fraud: thousands of official seals were forged, and more than 3 billion yuan was defrauded; Musk was exposed to want 14 mothers and children to live in a secret family estate; Yang Yuanqing said that Lenovo had difficulty recruiting employees when it went overseas in the early days
The app is coming! Robin Li will give a keynote speech on November 12, and the poster reveals a huge amount of information
It is said that Zhong Shanshan asked the packaged water department to sign a "military order" and the entire department would be dismissed if the performance did not meet the standard; Ren Zhengfei said that it is still impossible to say that Huawei has survived; Bilibili reported that employees manipulated the lottery丨Leifeng Morning News
Account Entry

Alipay vulnerability allows passwords to be tampered with? It's very difficult to test it yourself

Latest update time:2021-09-01 02:24
    Reads:

Leifeng.com is recruiting!

Join Leifeng.com, share the information dividend of the AI ​​era, and walk with the intelligent future. I heard that all the great people have clicked here .


Just this morning, the editor of Leifeng.com suddenly received a text message with an Alipay verification code while on the road. After noticing the abnormality, he immediately opened the Alipay client and was scared out of his wits:



His Alipay account was being logged in by someone else, and then he received a WeChat message from a friend:


I just used the "fatal loophole in Alipay" that was circulated on the Internet to reset your login password, and it actually worked! Don't you know it yet? It's spread all over the circle of friends!


Alipay vulnerability? Leifeng.com editor immediately opened the WeChat Moments and found that many friends in the network security circle had forwarded a report titled "A fatal vulnerability has been discovered in Alipay, quickly unbind your bank card."


According to the report, some netizens discovered that there was a fatal logical loophole in the login method of Alipay, which allowed acquaintances to log in to each other's Alipay accounts. The process is roughly as follows:


After entering the "Forgot Password" interface, select "Unable to receive text messages". Two related questions will appear: 1. Find someone you know among the 9 pictures; 2. Select an address related to you.


As long as you answer these two questions correctly, you can reset the password of the Alipay account, and after logging in, you can use the quick payment function without a payment password and directly use the funds in the other party's Alipay.



Soon, as the news spread in the circle of friends, more and more people said that they received Alipay login verification text messages and related account abnormality alerts. Many people began to use their friends' Alipay accounts to try to reproduce the vulnerability. Someone said that no less than ten people around him had successfully logged into their friends' Alipay accounts, and even a network security expert was hit, so he judged that the problem might be very serious.


What is the actual success rate?


After trying about 7-8 times on the Alipay accounts of friends around him, the editor of Leifeng.com successfully reset the password of a friend, but this was achieved under the premise that both parties were very familiar with each other and knew the people the other party knew, shopping records, home addresses, etc. Although the result is indeed surprising, the success rate is not as exaggerated as it is said on the Internet - "Strangers have a one-fifth chance of logging into your Alipay, and acquaintances have a 100% chance of logging into your Alipay."


During the test, we found that the two test questions would randomly include different questions such as "people you know", "addresses related to you", "things you have bought", etc. If you answer incorrectly once or twice, that method will be blocked and only other methods will be allowed to retrieve the password. Other methods will also be gradually blocked after failed attempts. This seems to have triggered some kind of security mechanism of Alipay.


[The verification method will change after verification fails]


After many experiments, the editor of Leifeng.com found that no matter whose Alipay account he used, he could no longer use the previous method of resetting the password using relevant information.


By around 10 a.m., many friends who were testing the vulnerability also said that their tests failed and that they could only trigger the relevant message retrieval on their usual devices. A security practitioner said: "Alipay responded very quickly and it is said that the risk control has been adjusted."


Alipay official response


At around 11:50 a.m., Alipay’s official Weibo account issued a statement announcing the incident. The full text is as follows:



Although Ant Financial has not yet provided a specific analysis of its risk control measures, Leifeng.com understands that Alipay’s risk control and Ali Ju Anquan use the same technical foundation. Based on this, it can be inferred that Alipay also uses the following risk control measures:


Risk Information Database


All Alipay login verification data will be included in the risk information database. Every risky user and the mobile phone, email address, IP address, and ID number behind them will be recorded.


Device fingerprint


For each device that logs into Alipay, risk control measures will define a unique fingerprint for the device. The system will collect multi-dimensional information, such as:


  • Basic information of the App, including the name and version of the App, as well as the version information of the integrated SDK.

  • Device information. Including device name, model, system, IMEI number, and MAC address. (iOS devices can only obtain partial information)

  • Network information: Wi-Fi, 4G and other parameters.

  • Public interface information, such as software ID and developer ID.


The device's "fingerprint ID" is calculated based on the above information. This ID is equivalent to the device's ID card. When the hardware changes, as long as the changed parts are less than a certain proportion, it will still be identified as the same device.


According to the announcement of Alipay, the risk control level has been adjusted. Users can only use the "relevant information verification" method to log in using relevant information on their own devices. Therefore, it seems that everyone does not need to rush to unbind their bank cards.


Leifeng.com will continue to report on this incident and restore the key technical details for everyone.



Click on a keyword to view related historical articles


popular articles


WeChat red envelopes from an American user’s perspective

Is the desperate Hasselblad worth acquiring by DJI?

Can Faraday Future’s release of a new car give LeTV another second?

Nvidia took to the CES main stage to see the explosion of GPU computing


Mini Programs | Zuckerberg's Development Notes | Shared Bikes

GoPro | How Spring Festival travel ticket swiping works | AI beauty

IoT Year-end Review | AI Medical Imaging Companies Review

Huawei 5G | Autopilot 2.0 | JD X Division

Commercial sex robots | Taobao Buy+ | Zhang Xiaolong's internal speech

Xiaomi Mi MIX | Xiaomi VR | Huawei Kirin 960

Hammer M1/M1L | Loongson 3A3000 | Samsung Note 7

DJI Mavic | Google Home


Featured Posts


Latest articlesabout

Database "Suicide Squad" 
Exclusive: Yin Shiming takes over as President of Google Cloud China 
After more than 150 days in space, the US astronaut has become thin and has a cone-shaped face. NASA insists that she is safe and healthy; it is reported that the general manager of marketing of NetEase Games has resigned but has not lost contact; Yuanhang Automobile has reduced salaries and laid off employees, and delayed salary payments 
Exclusive: Google Cloud China's top executive Li Kongyuan may leave, former Microsoft executive Shen Bin is expected to take over 
Tiktok's daily transaction volume is growing very slowly, far behind Temu; Amazon employees exposed that they work overtime without compensation; Trump's tariff proposal may cause a surge in the prices of imported goods in the United States 
OpenAI's 7-year security veteran and Chinese executive officially announced his resignation and may return to China; Yan Shuicheng resigned as the president of Kunlun Wanwei Research Institute; ByteDance's self-developed video generation model is open for use丨AI Intelligence Bureau 
Seven Swordsmen 
A 39-year-old man died suddenly while working after working 41 hours of overtime in 8 days. The company involved: It is a labor dispatch company; NetEase Games executives were taken away for investigation due to corruption; ByteDance does not encourage employees to call each other "brother" or "sister" 
The competition pressure on Douyin products is getting bigger and bigger, and the original hot-selling routines are no longer effective; scalpers are frantically making money across borders, and Pop Mart has become the code for wealth; Chinese has become the highest-paid foreign language in Mexico丨Overseas Morning News 
ByteDance has launched internal testing of Doubao, officially entering the field of AI video generation; Trump's return may be beneficial to the development of AI; Taobao upgrades its AI product "Business Manager" to help Double Eleven丨AI Intelligence Bureau 

 
EEWorld WeChat Subscription

 
EEWorld WeChat Service Number

 
AutoDevelopers

About Us About Us Service Contact us Device Index Site Map Latest Updates Mobile Version

Site Related: TI Training

Room 1530, Zhongguancun MOOC Times Building,Block B, 18 Zhongguancun Street, Haidian District,Beijing, China Tel:(010)82350740 Postcode:100190

EEWORLD all rights reserved 京B2-20211791 京ICP备10001474号-1 电信业务审批[2006]字第258号函 京公网安备 11010802033920号 Copyright © 2005-2021 EEWORLD.com.cn, Inc. All rights reserved