{"id":1443,"date":"2018-07-09T20:53:23","date_gmt":"2018-07-09T20:53:23","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=1443"},"modified":"2018-07-09T20:53:23","modified_gmt":"2018-07-09T20:53:23","slug":"xxe-vulnerability-in-wechat-payment","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/xxe-vulnerability-in-wechat-payment\/","title":{"rendered":"XXE Vulnerability in WeChat Payment"},"content":{"rendered":"<p>The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat unintentionally provides an xxe vulnerability in the JAVA version SDK when merchants provide a notification URL to accept asynchronous payment results. The attacker can build malicious payload towards the notification URL to steal any information of the merchant server as he or she want. Once the attacker gets the crucial security key (md5-key and merchant-Id etc.) of the merchant , he can even buy anything without paying but by just sending forged info to deceive the merchants. For details, please see<br \/>\n<a href=\"http:\/\/seclists.org\/fulldisclosure\/2018\/Jul\/3\">http:\/\/seclists.org\/fulldisclosure\/2018\/Jul\/3<\/a><\/p>\n<h2>Solution<\/h2>\n<p>As stated by the researcher,\u00a0 WeChat can fix it by updating the SDK quite easily, however the bad news is while exposing merchants may need a relatively long time to complete countermeasures, cost and skills needed.<\/p>\n<p>WeChat is handling this vulnerability. Users are recommended to keep a close watch on this issue and upgrade WeChat system once the fix is released.<\/p>\n<p>WeChat blog: <a href=\"http:\/\/blog.wechat.com\/\">http:\/\/blog.wechat.com\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat unintentionally provides an xxe vulnerability in the JAVA version SDK when merchants provide a notification URL to accept asynchronous payment results. The attacker can build malicious payload towards the notification [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1509,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-1443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-events"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>XXE Vulnerability in WeChat Payment - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"XXE Vulnerability in WeChat Payment - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-09T20:53:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"XXE Vulnerability in WeChat Payment - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minuto\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"XXE Vulnerability in WeChat Payment\",\"datePublished\":\"2018-07-09T20:53:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/\"},\"wordCount\":183,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/Screen-Shot-2018-08-02-at-17.22.09.png\",\"articleSection\":[\"Global Events\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/\",\"name\":\"XXE Vulnerability in WeChat Payment - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/Screen-Shot-2018-08-02-at-17.22.09.png\",\"datePublished\":\"2018-07-09T20:53:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/Screen-Shot-2018-08-02-at-17.22.09.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/Screen-Shot-2018-08-02-at-17.22.09.png\",\"width\":1300,\"height\":524,\"caption\":\"WeChat Pay logo with green checkmark.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xxe-vulnerability-in-wechat-payment\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"XXE Vulnerability in WeChat Payment\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"XXE Vulnerability in WeChat Payment - NSFOCUS","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"XXE Vulnerability in WeChat Payment - NSFOCUS","og_description":"The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat","og_url":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/","og_site_name":"NSFOCUS","article_published_time":"2018-07-09T20:53:23+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_title":"XXE Vulnerability in WeChat Payment - NSFOCUS","twitter_description":"The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png","twitter_misc":{"Escrito por":"admin","Est. tempo de leitura":"1 minuto"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/"},"author":{"name":"admin","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"XXE Vulnerability in WeChat Payment","datePublished":"2018-07-09T20:53:23+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/"},"wordCount":183,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png","articleSection":["Global Events"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/","url":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/","name":"XXE Vulnerability in WeChat Payment - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png","datePublished":"2018-07-09T20:53:23+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-08-02-at-17.22.09.png","width":1300,"height":524,"caption":"WeChat Pay logo with green checkmark."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/xxe-vulnerability-in-wechat-payment\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"XXE Vulnerability in WeChat Payment"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website","url":"https:\/\/nsfocusglobal.com\/pt-br\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"admin","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/1443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=1443"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/1443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/1509"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=1443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=1443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=1443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}