March 29, 2023

Vulnerabilities in Xiaomi’s mobile payment could lead to an attacker stealing private keys used to sign Wechat Pay control and payment packages.

The flaws were found in Xiaomi’s trusted execution environment (TEE), the system element responsible for storing and managing sensitive information such as keys and passwords.

The devices were powered by MediaTek chips and were found to be susceptible to two different kinds of attacks targeting the vulnerability.

Advertisements

The first one was from an unprivileged malicious Android app, installed and launched by a user. In this case, the app would be able to extract the keys and send a fake payment packet to steal the money.

The second attack method involved the physical possession of the device by the attacker. In this case, they could root the device, downgrade the trust environment, and then run the code to create a fake payment package without an application.

Researchers disclosed the vulnerabilities to Xiaomi, and the phone manufacturer acknowledged and promptly patched them.

Researchers from checkpoint research have documented this vulnerability.

Tags:

Leave a Reply

You may have missed

Apple Backports ZeroDay Patches for older devices

Apple Backports ZeroDay Patches for older devices

March 28, 2023
Apache Fineract Vulnerabilities

Apache Fineract Vulnerabilities

March 28, 2023
IceID Malware Shifting Focus to Ransomwares

IceID Malware Shifting Focus to Ransomwares

March 28, 2023
Sun Pharma suffers a Security Incident

Sun Pharma suffers a Security Incident

March 28, 2023
Twitter Source Code Leak on Git

Twitter Source Code Leak on Git

March 27, 2023
Okta Credentials Exposed via Post Exploitation Attack

Okta Credentials Exposed via Post Exploitation Attack

March 27, 2023
%d bloggers like this: