Home » News » Tech » Xiaomi Fixes Bugs In Its Mobile Payment Mechanism
1-MIN READ

Xiaomi Fixes Bugs In Its Mobile Payment Mechanism

IANS

Last Updated: August 13, 2022, 18:05 IST

New Delhi, India

Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages, and an unprivileged Android app could have created and signed a fake payment package.

Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages, and an unprivileged Android app could have created and signed a fake payment package.

Xiaomi has fixed some bugs that were identified in its mobile payment mechanism by cyber security researchers, Check Point Research (CPR) said

Global smartphone player Xiaomi has fixed some bugs that were identified in its mobile payment mechanism by cyber security researchers, Check Point Research (CPR) said.

Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages, and an unprivileged Android app could have created and signed a fake payment package.

WATCH VIDEO: VLC Media Player Banned In India- Why?

The cyber-security researchers disclosed its findings to Xiaomi, which acknowledged and issued immediate fixes for the bugs.

“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application,” said Slava Makkaveev, security researcher at Check Point.

Over 1 billion users could have been affected by the bugs, if left unpatched.

“We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues,” Makkaveev added.

WATCH VIDEO: Samsung Galaxy Flip 4 first look

The cyber-security company immediately disclosed the findings to Xiaomi, which “worked swiftly to issue a fix”.

The devices studied by CPR were powered by MediaTek chips.

The team detailed two ways to attack the trusted code.

WATCH VIDEO: How To Use AI To Create Your Own Art Online

“First, from an unprivileged Android app, where the user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money,” said the CPR team.

Second, if the attacker has the target devices in their hands.

“The attacker roots the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application,” it added.

Read the Latest News and Breaking News here

Tags:
first published:August 13, 2022, 18:05 IST
last updated:August 13, 2022, 18:05 IST