Aug 17 – The smartphone maker known as Xiaomi, the world’s third-largest smartphone builder, which trails just behind Apple and Samsung, reported that it has patched a high-severity flaw in its ‘trusted environment’ which is used to store payment data.
Last week, researchers at Check Point revealed that the Xiaomi smartphone flaw could have enabled attackers to hijack the mobile payment system on the phones. Alternatively, hackers could have disabled it, or created and signed their own forged transactions.
Given that 1 out of every 7 smartphones is manufactured by Xiaomi, the pool of potential victims was massive. “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept,” wrote Slava Makkaveev, a Check Point security researcher.
According to Slava, the new research marks the first time during which Xiaomi’s trusted applications have been reviewed for security flaws.
The security flaw
WeChat Pay is a mobile payment transaction platform, also developed by Xiaomi.
The service is used by more than 300 million customers. Android users can make mobile payments and proceed with online payment transactions through the app.
The duration of time for which the vulnerability has existed or whether or not it has been exploited by attackers in the wild remains unclear. The bug, tracked as CVE-2020-14125, was patched by Xiaomi in June. It has a high CVSS severity rating.
Although details surrounding the bug’s impact were initially quite limited, researchers at Check Point have outlined the technical details and the full potential impact of the flaw, here.
Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.