A failure to implement the PIX payment system in December 2020 at the Kabum online store allowed an attacker to view other customers’ data. Thus, it was possible to track which order was placed, amount, full name and CPF of the buyer, date and number of the order. When alerted about the problem, Kabum made the immediate correction – and there are no reports that the breach was exploited maliciously.
Kabum was alerted to the problem, which was corrected a few hours after the alert
According to an anonymous source, the problem was in the QR Code string used for PIX payment. “Kabum follows the order number which is sequential, so it is easy to find others. And then, using the QR Code data, just follow the thread to the payer’s personal data and what he asked for ”, warned the source.
When asked about the encryption of this information, the source replied: “Cryptography does not bring secrecy when there is no secret element; the encryption of Pix data guarantees authenticity and a chain of accountability, but that is all ”. The online store adds: “We reinforce that the system was implemented by KaBuM! following all the recommendations and security protocols requested by the Central Bank ”.
According to the documents received, the vulnerability occurred in payments made by PIX Itaú in a specific period. Kabum denies that the flaw was exploited by cyber criminals.