P2P platform vulnerability hazards
logic vulnerabilities accounted for
P2P platform affects the vulnerability of financial security accounted for
Sina Technology Wang
recently compiled a cloud platform on the P2P platform vulnerability report report shows that all affect the safety of funds was the majority of domestic enterprises P2P vulnerabilities, involving many well-known P2P platform, such as pterosaurs loans, loan pleasant, easy loan network and favorable net. Currently, some vulnerabilities have been fixed, and some still exist.
collection platform based on cloud vulnerability data show that since 2014, the total number of the P2P industry platform vulnerabilities received for the 402, only the first half of 2015 235, only the first half of last year grew by 40.7% a year.
from 2014 to August 2015, the dark cloud vulnerability reporting platform P2P industry vulnerability statistics show that 56.2% of high-risk vulnerabilities, accounting for vulnerabilities accounted for 23.4%, low risk vulnerabilities accounted for 12.3%, the company was ignored by vendors.
2014 so far in the 4201 vulnerabilities, it is possible to affect the safety of the funds on the vulnerability accounted for 39% of the total number of vulnerabilities. In the first half of 2015, the vulnerability of funds on the vulnerability accounted for 43% of this year’s P2P vulnerability review.
in the logic vulnerabilities, password reset vulnerabilities accounted for 60%; access vulnerabilities accounted for 40%, accounting for the payment of vulnerabilities, accounting for the other $20%.
six groups of cases most of the manufacturers agree, and has been repaired. Among them, password reset vulnerability is very common –
logic error or design defects caused by the password reset vulnerability
involves: platform search easy loan, pterosaurs loans, and credit, Gimhae loan, pat loans and favorable net
simply, that is, the attacker took his password to reset the document to reset the other password.
in the pterosaur loan case, the password can see, capture the user’s mailbox, balance, mobile phone number, ID and other sensitive information.
in addition, the use of Email and ID, white hat can also reset user passwords.
in the favorable case, due to the arrangement of a parameter is too simple, and no limit to the number of requests, can reset any user password by blasting.
In the case of
and credit, due to design flaws, reset the other user password does not need to know the specific URL user mailbox received, can be directly put together other users URL password reset password reset.
reset password this type of vulnerability in the P2P platform is more common, including the type of blast, the type of change and the need to interact with the type of these three, it seems that hackers reset >