7-Eleven App Flaws ExploitedAttribution

Reportedly, the mobile app belonging to the Japanese-American chain of convenience stores 7-Eleven Inc which suffered a cyber attack. Hackers exploited 7-Eleven app flaws to pilfer thousands of dollars from customers. As revealed by Yahoo Japan, the 7-Eleven mobile payment app ‘7pay’ had some obvious security vulnerabilities that risked all customer accounts. Consequently, it didn’t take long for the attackers to exploit the vulnerabilities for their malicious gain. 7-Eleven Inc. launched the mobile payment app on July 1, 2019. The app was supposed to facilitate customers in making smooth online payments via barcodes. After making a purchase, a customer would simply show the barcode to the cashier who would then scan the barcode for billing. Nonetheless, right after its launch, customers began complaining about some unauthorized transactions from their accounts. As disclosed in a company’s press release later, they first received the complaint on July 2, 2019. Upon digging further into the matter they could identify ‘illegal use’. While the cause of the attack remained undetermined initially, Yahoo Japan pointed out some security issues with the app. It turned out that the weakness in the password reset feature of 7pay could have triggered the attack. Knowing the email address, date of birth, and phone number, it turned out that a third party could change the 7pay 7-Eleven app password. Furthermore an attacker could receive the password reset account on any other email unrelated to the one registered with the app. (Tough, doing so would notify the registered email address as well.) Moreover, the app also lacked two-step verification. Furthermore, because there is no second authentication such as SMS authentication, it is possible for a third party to take over. The attackers could exploit these flaws and managed to pilfer 55 million Yen (~$510,000) affecting 900 customers.