7pay function of 7-Eleven app. As of July 23, new registrations and charges are still not possible.
Business Insider Japan
About three weeks have passed since the unauthorized use of 7pay was discovered, while concerns about the vulnerability surrounding 7pay have not been resolved. During this time, several Chinese suspects believed to be the perpetrators were arrested, and reports continue to point out security concerns due to inadequate implementation of external ID linkage.
Seven & i HD plans to announce future countermeasures by mid-July.
But now, another problem has surfaced.
It is possible that the source code, which is the blueprint for the EC app “Omni7”, which is also related to 7pay, was leaked.Although the Omni 7 app is separate from the 7-Eleven app, some experts believe the login design is very similar.
If true, it may be necessary to be even more cautious about the management system of app development and whether or not there are security risks in the apps themselves and services.
Was the source code of “Omni 7 app” published on GitHub?
Business Insider Japan
“The program’s source code may have been leaked, which we believe is related to the 7pay issue.”
One day in early July, Mr. Yusuke (pseudonym), a programmer working for an IT company in the Tokyo metropolitan area, showed the actual source code to the interview team.
Yusuke noticed this problem because, like Taro in the article on July 16, he was analyzing the communication of the Seven-Eleven app.
Even before the reports began, some IT engineers had speculated that there might be a design problem with external ID linkage.
Yusuke was one of those people. However, what was different from other people was that when I was trying to analyze communication, I decided to search GitHub for the name of Omni 7’s “API server” that appeared during analysis. GitHub is a development support service platform commonly used by developers.
According to Yusuke, this source code isRemains on GitHub until at least July 10thdid. At first glance, Yusuke felt that it was “important information related to this issue,” and left a screenshot of GitHub in advance.
The source code was removed later that week. The source code is believed to have been uploaded by a person with a “7-letter account starting with i”.
A screenshot of the repository (where it is stored on GitHub) before it was deleted.
Provided by: Coverage collaborators
Yusuke himself did not analyze the details of the source code.
However, at a quick glance, it seems that the source code for iOS has multiple email addresses that seem to be development companies in part of the code, and it looks like part of the Omni 7 app from the folder name. I also noticed.
From the footprints just before the deletion, this source code was published on GitHub around May to July 2015, and since then it has not been updated, and the public state continued until around July 10, 2019, when it was deleted. Mr. Yusuke says that there is a high possibility that it was.
If true, this is an administrative oversight that cannot be ignored from a security standpoint.
Traces of another source code deleted by a Japanese company
Omni 7 app. It is currently being distributed on the AppStore.
Shooting: 7pay coverage team
There was also another worrisome development regarding concerns about source code leaks.
Even after the source code discovered by Yusuke (referred to as source code A for convenience) was deleted, another repository (storage location) was hit when searching for the name of the Omni 7 API server. There was a fragment of source code (referred to as source code B) that was older than the disappeared source code A and was believed to have been in the early stages of development.
Below is a screenshot of the screen that the 7pay coverage team confirmed that it was open as of July 19th. Accounts related to source code B also include “7-character accounts starting with i” as in source code A.
Screenshot saved by the editorial department as of July 19th. As the name of the committer, you can also check the person of “account with 7 characters starting with i” (mosaic processing). Whether it is a version in the early stage of development, the folder structure etc. are different.
7pay coverage team
An interesting behavior then occurs in source code B.
On GitHub, a Japanese company filed a complaint related to the Digital Millennium Copyright Act (DMCA) in the United States, which was accepted by management and subsequently deleted. The log is also public. The date is July 18th, local time.
A summary of the content of the allegation is as follows:
That’s what it means.
It is unknown whether the original source code deleted on the 11th refers to “source code A”, but judging from the date, it is highly likely that Yusuke found it.
I’ve been researching the original source code for a few weeks now.
In fact, the 7pay reporting team had been investigating the matter for several weeks before the DMCA complaint was discovered.
Before the DMCA allegation came to light, the interview team had asked Mr. Masanori Kusunoki, a visiting researcher at GLOCOM at the International University of Japan, to analyze the source code that they had independently obtained. Kusunoki is an expert in application development and security.
Mr. Kusunoki said at the time that there was a high possibility that the source code had something to do with Seven Net Shopping, although he could not say for sure. This is the first time that Mr. Kusunoki’s comments have been made public.
From Kusunoki’s Twitter account. He is also a well-established security and technical debater.
“(source code) contains digital certificates required for push notifications to iOS devicesThere is a high possibility that it is a source code related to Seven Net Shopping (based on this).
From the header file included in the SDKthat connects to BaaS
(BI Japan has already reported)
I found the same vulnerability as pointed out regarding external ID login.
“Secret required for external ID login” is written directly in the resource file.
If these files were open to the public on GitHub for a long period of time, it can be inferred that they were managed rather sloppily.” (Mr. Kusunoki)
Also, in response to the discovery of the DMCA allegation, Mr. Kusunoki once again commented as follows.“Many development environments for smartphone applications assume that they are connected to the Internet, and it has become difficult to maintain confidentiality by isolating them from the Internet as they did in the past.In the case of iOS in particular, it is common to develop on a Mac, and there are cases where the development company’s data leakage countermeasures for Mac are behind compared to Windows.
Abbreviation for Software Development Kit. A software development kit.
Seven & i HD Answers
Seven & i HD public relations responded to inquiries about facts. The person in charge declined to comment, saying, “We are currently confirming this matter.”
At this time, there was no clear answer as to whether information on the possibility of source code leaks will be included in the “future countermeasures” that Seven plans to announce in July.
From the editorial department: Added the answer from Seven & i HD Public Relations, and updated the text below “Seven & i HD’s answer”. July 24, 2019 19:10(Sentence, 7pay coverage team)