The third-party payment platform has a serious vulnerability in payment. The SMS verification code is directly hidden on the page.

When I retrieved the password, I sent a text message verification code to my mobile phone and intercepted it with POST. I found that the account, mobile phone verification code, password, and payment password were displayed directly. Below

Click get verification code and perform POST interception to intercept text message verification code. Note that the red part is the mobile phone verification code that I intercept. The following shows how many verification codes I receive on my mobile phone. is the same. This is too dangerous, as long as you know the phone number of any account and retrieve it with the password, you can use this verification code to retrieve the account password and directly modify the user password. Then, you can log on to the account. However, this is not enough, and there are more serious vulnerabilities. Check the following interception data and you will find that the red part is the MD5 value of the ID card number and password (which can be collided) too much account information is involved, such as the payment password, the bound bank card number, the server address of the payment platform, and the digital signature and certificate of the password for bank communication.



Solution:

Try not to include sensitive information in session cookies. The generated text messages are generated by the server. Do not use a mobile phone number to change the password. You should also have some hidden registered email addresses.