A December 2020 PIX payment system deployment failure at the Kabum online store allowed an attacker to view other customers’ data. In this way, it was possible to track the order placed, value, full name and CPF of the buyer, date and order number. When alerted to the problem, Kabum immediately fixed it — and there are no reports that the loophole has been maliciously exploited.
Kabum was alerted to the issue, which was fixed within hours of the alert.
According to an anonymous source, the problem was in the QR Code string used for PIX payment. “Kabum follows the order number which is sequential, so it’s easy to find others. And then through the QR Code data, just follow the thread to the payer’s personal data and what he asked for”, warned the source.
When asked about the encryption of this information, the source replied: “Encryption does not bring secrecy when there is no secret element; encryption of Pix data guarantees authenticity and a chain of accountability, but that’s about it.” The online store adds: “We reinforce that the system was implemented by KaBuM! following all the recommendations and security protocols requested by the Central Bank”.
- Kabum was alerted by the TechWorld about the issue, which was fixed within hours of the December 18 alert.
According to the documents received, the vulnerability occurred in payments made by PIX Itaú in a specific period. Kabum denies that the flaw was exploited by cybercriminals.
Error was in QR Code
As with all company developments, especially an innovation such as PIX, safety and best-practice protocols are fully adopted. Thus, we reinforce that the system was implemented by KaBuM! following all the recommendations and security protocols requested by the Central Bank.
Given the possibility described by the TechWorld, on December 18, 2020, comprising the first days of the service’s operation, both the development and security teams of KaBuM! as well as those of the financial institutions supplying the PIX, they were promptly activated to carry out new tests and any corrections, in order to avoid any systemic behavior different from that expected by the established protocols, as well as to ensure that there was no data leakage or any kind of damage to the our clients.
As part of the continuous improvements and ensuring maximum caution, still referring to Tecmundo’s contact, an update was previously carried out so that all data contained in the Pix key are automatically erased, both by KaBuM! and by the Central Bank after its expiration, which occurs in just 30 minutes. This largely mitigates any data exposure.
It is important to highlight that, as this is a new system, it is natural that Pix is subject to improvements. An example of this was the episode witnessed on February 11, 2021, involving fluctuations in the Central Bank’s payment method platform in financial institutions across the country. However, such needs for improvement do not outweigh the importance of this service to Brazilian consumers and companies.
In our e-commerce, the PIX is completing two months, working quickly and securely, without any complications since its implementation. The new service even occupies the second place in preference for the payment methods used by our customers.
Again, KaBuM! thanks you immensely for the professionalism of the TechWorld and its source, as well as the opportunity for clarification. We remain at your service.