Approximately 900 customers of 7-Eleven Japan have lost a collective of ¥55 million ($510,000) after hackers hijacked their 7pay app accounts and made illegal charges in their names.
The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app, which 7-Eleven Japan launched in the country on July 1st.
The 7pay mobile app was designed to show a barcode on the phone's screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user's 7pay app and the customer's credit or debit cards that have been saved in the account.
However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.
A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve.
Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier, according to a report in Yahoo Japan. With so much data about Japanese users lying around the internet from the multitude of past breaches, a hacker only had to compile it and automate an attack.