U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Customers of 7-Eleven Japan lost $500,000 due to a flaw in the mobile app

Cyber criminals have exploited an unproperly implemented password reset process in 7-Eleven to make unwanted charges on 900 customers’ accounts. 7-Eleven Inc. is a Japanese-American international chain of convenience stores, news of the day is that hackers exploited a weakness in the password reset function to make unwanted charges on its customers’ accounts. Crooks targeted approximately 900 […]

7-eleven-pay-app

Cyber criminals have exploited an unproperly implemented password reset process in 7-Eleven to make unwanted charges on 900 customers’ accounts.

7-Eleven Inc. is a Japanese-American international chain of convenience stores, news of the day is that hackers exploited a weakness in the password reset function to make unwanted charges on its customers’ accounts.

Crooks targeted approximately 900 customers the company, it has been estimated that they charged a total of ¥55 million ($510,000) on the 7pay app accounts.

“Currently, it has been confirmed that some accounts may be accessed by third parties.” reads the security advisory published by the company.

“Therefore, we will stop charging with credit card and debit card until the security of the transaction is confirmed, cash charge at Seven Bank ATM, charge at nanaco points, Seven-Eleven storefront cash register We will only charge cash. We will inform you as soon as the prospect of reopening is reached. We deeply apologize to everyone for the great inconvenience and concern.”

7-Eleven Japan launched in Japan the 7pay mobile payment app on July 1.

Every time a customer needs to complete a payment, the mobile app displays a barcode on the phone, then the cashier scans the barcode and charges the bought products to the customer.

Unfortunately, the password reset function was poorly designed allowing anyone to reset the password for other customers’ accounts, the attacker just needs to know the victim’s email address, date of birth, and phone number.

“A credit card abuse incident has occurred with Seven Eleven’s smartphone payment “7pay”. Although the cause is not clear yet, it turned out that the specification has a big weakness.” reads a post published by Yahoo Japan.

“Knowing the email address, date of birth, and phone number, it turned out that a third party could change the 7pay 7-Eleven app password. Furthermore, because there is no second authentication such as SMS authentication, it is possible for a third party to take over.”

The presence of an additional field in the password reset feature allowed the attacker to request that the password reset link to be sent to the attacker’s email address, instead of the legitimate owner.

7-eleven-pay-app

A wrong design in the feature would also have allowed using of January 1, 2019 as default data of bird, benefiting the work of the attackers.

Seven Eleven stopped the 7pay service on July 3, 2019 to solve the issue.

“2. Number of persons suspected of unauthorized access / amount (estimated) – Approximately 900 people / approximately 55 million yen ※ As of July 4: 2019 6:00″ reads the press release published by the company.

“3 About the correspondence to the customer -We will compensate for all the damage to the customers who suffered from this matter. 
・ Customer support center emergency dial (TEL: 0120-192-044) has been established. If you feel uneasy, please contact the customer support center”

The good news for the customers is that the company promised to compensate who was victim of the hackers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – 7-Eleven Japan, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]