Alipay vulnerability allows passwords to be tampered with? It's very difficult to test it yourself
Join Leifeng.com, share the information dividend of the AI era, and walk with the intelligent future. I heard that all the great people have clicked here .
Just this morning, the editor of Leifeng.com suddenly received a text message with an Alipay verification code while on the road. After noticing the abnormality, he immediately opened the Alipay client and was scared out of his wits:
His Alipay account was being logged in by someone else, and then he received a WeChat message from a friend:
I just used the "fatal loophole in Alipay" that was circulated on the Internet to reset your login password, and it actually worked! Don't you know it yet? It's spread all over the circle of friends!
Alipay vulnerability? Leifeng.com editor immediately opened the WeChat Moments and found that many friends in the network security circle had forwarded a report titled "A fatal vulnerability has been discovered in Alipay, quickly unbind your bank card."
According to the report, some netizens discovered that there was a fatal logical loophole in the login method of Alipay, which allowed acquaintances to log in to each other's Alipay accounts. The process is roughly as follows:
After entering the "Forgot Password" interface, select "Unable to receive text messages". Two related questions will appear: 1. Find someone you know among the 9 pictures; 2. Select an address related to you.
As long as you answer these two questions correctly, you can reset the password of the Alipay account, and after logging in, you can use the quick payment function without a payment password and directly use the funds in the other party's Alipay.
Soon, as the news spread in the circle of friends, more and more people said that they received Alipay login verification text messages and related account abnormality alerts. Many people began to use their friends' Alipay accounts to try to reproduce the vulnerability. Someone said that no less than ten people around him had successfully logged into their friends' Alipay accounts, and even a network security expert was hit, so he judged that the problem might be very serious.
What is the actual success rate?
After trying about 7-8 times on the Alipay accounts of friends around him, the editor of Leifeng.com successfully reset the password of a friend, but this was achieved under the premise that both parties were very familiar with each other and knew the people the other party knew, shopping records, home addresses, etc. Although the result is indeed surprising, the success rate is not as exaggerated as it is said on the Internet - "Strangers have a one-fifth chance of logging into your Alipay, and acquaintances have a 100% chance of logging into your Alipay."
During the test, we found that the two test questions would randomly include different questions such as "people you know", "addresses related to you", "things you have bought", etc. If you answer incorrectly once or twice, that method will be blocked and only other methods will be allowed to retrieve the password. Other methods will also be gradually blocked after failed attempts. This seems to have triggered some kind of security mechanism of Alipay.
[The verification method will change after verification fails]
After many experiments, the editor of Leifeng.com found that no matter whose Alipay account he used, he could no longer use the previous method of resetting the password using relevant information.
By around 10 a.m., many friends who were testing the vulnerability also said that their tests failed and that they could only trigger the relevant message retrieval on their usual devices. A security practitioner said: "Alipay responded very quickly and it is said that the risk control has been adjusted."
Alipay official response
At around 11:50 a.m., Alipay’s official Weibo account issued a statement announcing the incident. The full text is as follows:
Although Ant Financial has not yet provided a specific analysis of its risk control measures, Leifeng.com understands that Alipay’s risk control and Ali Ju Anquan use the same technical foundation. Based on this, it can be inferred that Alipay also uses the following risk control measures:
Risk Information Database
All Alipay login verification data will be included in the risk information database. Every risky user and the mobile phone, email address, IP address, and ID number behind them will be recorded.
Device fingerprint
For each device that logs into Alipay, risk control measures will define a unique fingerprint for the device. The system will collect multi-dimensional information, such as:
-
Basic information of the App, including the name and version of the App, as well as the version information of the integrated SDK.
-
Device information. Including device name, model, system, IMEI number, and MAC address. (iOS devices can only obtain partial information)
-
Network information: Wi-Fi, 4G and other parameters.
-
Public interface information, such as software ID and developer ID.
The device's "fingerprint ID" is calculated based on the above information. This ID is equivalent to the device's ID card. When the hardware changes, as long as the changed parts are less than a certain proportion, it will still be identified as the same device.
According to the announcement of Alipay, the risk control level has been adjusted. Users can only use the "relevant information verification" method to log in using relevant information on their own devices. Therefore, it seems that everyone does not need to rush to unbind their bank cards.
Leifeng.com will continue to report on this incident and restore the key technical details for everyone.
Click on a keyword to view related historical articles
● ● ●
popular articles
WeChat red envelopes from an American user’s perspective Is the desperate Hasselblad worth acquiring by DJI? Can Faraday Future’s release of a new car give LeTV another second? Nvidia took to the CES main stage to see the explosion of GPU computing
● ● ●
Mini Programs | Zuckerberg's Development Notes | Shared Bikes GoPro | How Spring Festival travel ticket swiping works | AI beauty IoT Year-end Review | AI Medical Imaging Companies Review Huawei 5G | Autopilot 2.0 | JD X Division Commercial sex robots | Taobao Buy+ | Zhang Xiaolong's internal speech Xiaomi Mi MIX | Xiaomi VR | Huawei Kirin 960 Hammer M1/M1L | Loongson 3A3000 | Samsung Note 7
|
Featured Posts