Don’t store your credit card on AliExpress – someone could hijack your session and make bogus purchases from your card.
Originally shared by Daniel Tullemans
Heads up! Anyone who uses AliExpress should know that while their checkout is secure, the way they handle your login is not – long story short, it’s possible for an attacker to impersonate you after you have logged in.
What this means is that if you have a credit card number stored in their system, the attacker can make purchases on AliExpress using that card without your permission. While doing this would normally present a risk to the attacker (showing you their address), it is possible for them to purchase a bogus item from their own store (which they have no intention to ship), then mark the item as received so that “your” payment clears immediately.
If you have a card stored in their system, you should remove it (and enter it manually each time you purchase something).
I’m one of those suckers who entered his credit card info into Alipay (payment system used by Aliexpress and Alibaba). After I read this post I said “ok, I’ll just go and remove my credit card info”. So after clicking around the Aliexpress, it took me to Alipay site where it said it would like to verify my email address. Ok, no problem. The verification link takes you to an “open an account” page that asks for all sorts of information:
Date of birth, nationality, identification document number, etc.
Instead of entering all that info, I clicked “help center” then “payment” then “add cards”. There is a link that will let you remove your card info.
https://icshall.alipay.com/hall/cateQuestion.htm?categoryId=874&type=KNOWLEDGE_BASE&helpId=81&language=en_US
Thanks for letting me know about he vulnerability.
Thanks, @Daniel_Tullemans , @Luminous_Elements , and @Garrett_Durland . I hit the same ‘open an account’ page while trying to remove mine as well.
I’m not saying that this is just a scare, but I couldn’t find anything else relating to it on the internet. I make two or three orders from AliExpress every day and have had no problems at all with their security. Over 700 orders so far…
But there’s also no harm in removing your card details.
@Jeremy_Spencer : You don’t have to “find anything else relating to it” if you can prove it yourself:
- Your login persists between HTTPS and HTTP,
- To persist a logged in session, you must store a session cookie (an identifier which the server and client can use to associate with one another) and pass it from client to server with each request,
- Session cookies passed via HTTP (specifically, not HTTPS) can be “sniffed” by an attacker, who can then use the session cookie to impersonate the logged-in user from a different machine,
- Once you are logged in, AliExpress does not make you log in a second time before making a purchase.
The combination of these four factors allows an attacker to make purchases on your behalf.