Apple Pay has a slew of protective features that make it a secure method of online credit card transactions. And since 2016, third-party merchants and services have been able to embed Apple Pay into their websites and offer it as a payment option. But at the Black Hat security conference in Las Vegas on Thursday, one researcher is presenting findings that this integration inadvertently introduces vulnerabilities that could expose the host website to attack.
To be clear, this isn't a flaw in Apple Pay itself, or its payment network. But the findings illustrate the unintended issues that can emerge from web interconnections and third-party integrations. Joshua Maddux, a security researcher at the analysis firm PKC Security, first noticed the issue last fall when he was implementing Apple Pay support for a client.
Joshua Maddux, PKC Security
You set up Apple Pay functionality in your web service by integrating with the Apple Pay application programming interface—allowing Apple to power the module with its existing Apple Pay infrastructure. But Maddux noticed that the connection between a site and the Apple Pay infrastructure, and the validation mechanism meant to broker this connection, can be established in a number of different ways, all at the host site's discretion. An attacker could swap the URL a target site uses to talk to Apple Pay, for instance, with a malicious URL that can send queries or commands to the target site's infrastructure. From there, the attacker can use this position to potentially extract an authorization token or other privileged data, which in turn gives them access to the website's backend infrastructure.
The flaws fit into a well-known type of vulnerability called "server side request forgery," which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month's massive Capital One breach. Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access.
"It’s not Apple Pay itself, it's purely an exposure to websites that have added support for Apple Pay," Maddux says. "But on the other hand, users who use Apple Pay do trust those merchant sites with their data, so in that respect the connection is important."
Maddux first notified Apple about the issue in February and communicated with the company about his proposed mitigations in March—which included locking down the options for how websites can configure the integration so there aren't so many potential exposures. Maddux says that in his evaluations it seems that Google Pay, for example, has more specific directions and fewer options. Maddux has since noticed that Apple has revised its documentation for adding an Apple Pay button to make it less likely that sites will integrate it in this potentially vulnerable way. But there don't seem to be any structural changes. Apple did not return a request for comment from WIRED.
Maddux notes that server side request forgery vulnerabilities crop up in other integrations across the web as well, not just with the Apple Pay module. And it is currently possible to implement an Apple Pay button in a safer way if you know how to mitigate the potential weaknesses. But Maddux says there needs to be more awareness about the problem, because popular integrations like Apple Pay end up on countless sites across the web and create exposures even if a site's users don't directly interact with the module.
"It certainly is possible to implement support for Apple Pay safely," Maddux says. "It’s just that it wouldn’t be obvious to a non-security-conscious developer who doesn't understand server side request forgery. It's currently not very deeply embedded into developers’ consciousness."
Given how many Apple Pay buttons are out there in the digital world, though, it's long past time to pay attention.