Customers of 7-Eleven Japan lost $500,000 due to a flaw in the mobile app

Pierluigi Paganini July 07, 2019

Cyber criminals have exploited an unproperly implemented password reset process in 7-Eleven to make unwanted charges on 900 customers’ accounts.

7-Eleven Inc. is a Japanese-American international chain of convenience stores, news of the day is that hackers exploited a weakness in the password reset function to make unwanted charges on its customers’ accounts.

Crooks targeted approximately 900 customers the company, it has been estimated that they charged a total of ¥55 million ($510,000) on the 7pay app accounts.

“Currently, it has been confirmed that some accounts may be accessed by third parties.” reads the security advisory published by the company.

“Therefore, we will stop charging with credit card and debit card until the security of the transaction is confirmed, cash charge at Seven Bank ATM, charge at nanaco points, Seven-Eleven storefront cash register We will only charge cash. We will inform you as soon as the prospect of reopening is reached. We deeply apologize to everyone for the great inconvenience and concern.”

7-Eleven Japan launched in Japan the 7pay mobile payment app on July 1.

Every time a customer needs to complete a payment, the mobile app displays a barcode on the phone, then the cashier scans the barcode and charges the bought products to the customer.

Unfortunately, the password reset function was poorly designed allowing anyone to reset the password for other customers’ accounts, the attacker just needs to know the victim’s email address, date of birth, and phone number.

“A credit card abuse incident has occurred with Seven Eleven’s smartphone payment “7pay”. Although the cause is not clear yet, it turned out that the specification has a big weakness.” reads a post published by Yahoo Japan.

“Knowing the email address, date of birth, and phone number, it turned out that a third party could change the 7pay 7-Eleven app password. Furthermore, because there is no second authentication such as SMS authentication, it is possible for a third party to take over.”

The presence of an additional field in the password reset feature allowed the attacker to request that the password reset link to be sent to the attacker’s email address, instead of the legitimate owner.

7-eleven-pay-app

A wrong design in the feature would also have allowed using of January 1, 2019 as default data of bird, benefiting the work of the attackers.

Seven Eleven stopped the 7pay service on July 3, 2019 to solve the issue.

“2. Number of persons suspected of unauthorized access / amount (estimated) – Approximately 900 people / approximately 55 million yen ※ As of July 4: 2019 6:00″ reads the press release published by the company.

“3 About the correspondence to the customer -We will compensate for all the damage to the customers who suffered from this matter. 
・ Customer support center emergency dial (TEL: 0120-192-044) has been established. If you feel uneasy, please contact the customer support center”

The good news for the customers is that the company promised to compensate who was victim of the hackers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – 7-Eleven Japan, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment