According to the vulnerability description given by white hat, when wechat payment is used, merchants need to provide a notification URL to accept asynchronous payment results. The problem is that there is an xxE vulnerability in the implementation of wechat in Java SDK. An attacker can build a malicious payload to the notification URL and steal any information of the merchant server as needed. Once the attacker obtains the merchant's key security key (MD5 key, merchant ID, etc.), he can cheat the merchant to buy anything by sending forged information without paying.

Wechat can fix the problem by updating the SDK, but it will take time and experience for businesses to fix the vulnerability.

This article is shared with WeChat official account - FreeBuf (freebuf).

Original time of publication: July 3, 2018

This article participates in Tencent cloud self media sharing plan, and you are welcome to join in and share.