In this post I want to talk about the security of terminals of the largest payment service in the CIS countries 'Qiwi', as well as the data entered in it. Today you will learn how, using the vulnerability of the Vkontakte social network, we can easily access TeamViewer data from the Qiwi payment terminal. Well, let's get started ...
Start
While a boring remote lesson is playing in the background, I, crawling through Vkontakte documents (through a vulnerability that is no longer a secret to anyone), came across an interesting file 'passwords from teamviewer 14' (now the file has already been deleted). It contained a table with three columns, namely the address, ID and password from TeamViewer ... Having entered the specified data, I was unpleasantly surprised ... The interface of the Qiwi payment terminal appeared in front of me ... "Hmmm," - I thought, βAnd people are entering their personal data thereβ.
Sharing on the terminal
Perhaps we should start with the characteristics of the terminal, which, by the way, are very modest. A mediocre AMD Sempron processor and 2 gigabytes of RAM, which is very small by the standards of 2021 (but it will do for a terminal). Installed on the terminal Windows 7 Home Basic (I thought they still sit on Windows XP, hehe)). Here's a screenshot:
(Google Chrome . ., () OBS. , - ( , ). , , , , ( ), :
. 'Qiwi' . , ...
Skype
?
( ). , ( , 2020 ). , .
Sometimes banal irresponsibility becomes the reason for such a terrible drain. You don't need to be a professional hacker to access the personal data of dozens of Qiwi customers. And do not be surprised if the next time passing by the Qiwi terminal, instead of the usual Qiwi interface, you will see the Klondike Solitaire or an open video of obscene content spread out.
What should Qiwi do to avoid this situation in the future?
Qiwi needs to be more reliable in choosing its resellers, and companies installing and configuring equipment need to select only qualified workers.