Taobao process design vulnerability, without the payment password to complete the payment transactions-vulnerability warning-the black bar safety net

2013-03-29T00:00:00
ID MYHACK58:62201338014
Type myhack58
Reporter 佚名
Modified 2013-03-29T00:00:00

Description

Brief description:

PayPal is the more secure an online payment tool, however, under certain conditions, you can bypass PayPal's digital certificate and payment password to make payments. Black produced with the means of stealing money, it can be Nisshin million gold.

Detailed description:

Alipay is Alibaba's online payment platform, each bit in the Taobao shopping students will have to use the PayPal experience. PayPal is the more secure an online payment tool, however, under certain conditions, you can bypass PayPal's digital certificate and payment password to make payments.

Vulnerability proof:

I first posted about Taobao shopping process is taken from Taobao service center.

!

Figure 1 Taobao shopping process Then in confirm the time of receipt, will check the digital certificate and payment password. As shown in Figure 2.

!

Figure 2 the prompts to install the digital certificate This is the normal process, so if I was shopping didn't go well? Taobao also as we think good, there is a refund process.

!

In this process, require the buyer to initiate a return request, and the seller agreed. Then the buyer will be the goods back, the seller then confirm receipt and refund. This process is seemingly no problem, but they hide a great vulnerability--initiate a refund application, without having to check PayPal's digital certificate and payment password, you can bypass the PayPal digital certificate and payment password. Because Taobao in the refund, the refund amount can be negotiated, i.e. the user's own input, if I bought 2 5 0 0 Yuan of things, a refund 1 0 0$, Then the seller can direct will 2 4 0 0 income in the pocket.

There are already people in the use of the vulnerability is stuffy sound sent big fiscal, the technique is as follows. First of all, through the Taobao on the shelves of cheap goods may be used, such as the iPhone 5 only Sold 2 5 0 0 Yuan. Then in some of the channels of these links to push out, such as the forum send the link to stay QQ. In the commodity photographed and payment, under the guise of reinforcing A shipping or a giveaway, sent disguised as Taobao phishing link, the purpose is to cash in Taobao account and password. Scammers operation of the shipment, and log the buyer's account through the return process, quickly will the buyer's money to engage in the hand. 2 5 0 0 Yuan, back a hundred blocks to the buyer, a pen will be able to earn several thousand.

!

Repair solutions:

This repair Taobao than I know.~