The syndicator BeeCloud has a design flaw, that neither BeeCloud nor the merchant can verify the signatures of Alipay’s payment notification. Specifically, the merchant does not receive the notification message from Alipay to verify its authenticity and BeeCloud does not have the verification key. Hence, exploiting this design flaw, an attacker could forge Alipay's payment notification to BeeCloud and shop a product without payment.
OffPhone is a mobile app integrating TrPay (a payment syndicator wrapping WeChat and Alipay payment services) and has implementation flaw that allows a malicious shopper to shop at lower price. There are two reasons behind the flaw. First, TrPay does not inform app developers to check the payment amount after the user makes payment. Second, TrPay, the syndicator, cannot not check the payment amount on behalf of the app because it does not have the ground truth of the actual price. We confirm the flaw affects OffPhone consistently in its wrapping of both Alipay and WeChat.
The syndicator BeeCloud is supposed to perform some security checks on behalf of the merchant but it does not, allowing a malicious shopper to pay to her own merchant while getting product from a different app. Specifically, BeeCloud only passes some of the payment notification to the merchant. An attribute being forwarded is notify_id, the merchant's identity issued by Alipay for finding out whether the merchant is right recipient of the notification. Also, although another attribute, sell_id, serving the same purpose is indeed sent to the merchant, BeeCloud fails to mention in its developer guide. Here we tried to find out whether the checks have been done by BeeCloud. From the demo, we show that BeeCloud does not perform the necessary checks. Such a flaw opens a door for an attack to pay to her own merchant while getting product from a different app.