Apple Pay has a slew of protective features that make it a secure method of online credit card transactions. And since 2016, third-party merchants and services have been able to embed Apple Pay into their websites and offer it as a payment option. But at the Black Hat security conference in Las Vegas on Thursday, one researcher is presenting findings that this integration inadvertently introduces vulnerabilities that could expose the host website to attack.
To be clear, this isn't a flaw in Apple Pay itself, or its payment network. But the findings illustrate the unintended issues that can emerge from web interconnections and third-party integrations. Joshua Maddux, a security researcher at the analysis firm PKC Security, first noticed the issue last fall when he was implementing Apple Pay support for a client.
You set up Apple Pay functionality in your web service by integrating with the Apple Pay application programming interface—allowing Apple to power the module with its existing Apple Pay infrastructure. But Maddux noticed that the connection between a site and the Apple Pay infrastructure, and the validation mechanism meant to broker this connection, can be established in a number of different ways, all at the host site's discretion. An attacker could swap the URL a target site uses to talk to Apple Pay, for instance, with a malicious URL that can send queries or commands to the target site's infrastructure. From there, the attacker can use this position to potentially extract an authorization token or other privileged data, which in turn gives them access to the website's backend infrastructure.
The flaws fit into a well-known type of vulnerability called "server si ..
Support the originator by clicking the read the rest link below.
