China’s most popular online payment app Alipay announced Tuesday that it plugged a user authentication security flaw.

Alipay got busy patching the flaw after receiving complaints from China’s internet users. Many found they could login into an account with just some personal information and didn’t require a password to make payments.

The process of hacking into an Alipay account takes just a few steps, as described by a  user on China’s Q&A site Zhihu:

  1. Tap forgot my password.
  2. I don’t have my phone.
  3. Select one recently purchased item from nine –
  4. Choose one friend from nine friends or choose one recently used address –
  5. Login successful!

Before Alipay plugged this hole, you could just make payments by scanning a QR without a password.

alipay-flaw

Retrieving Alipay password by identifying friends (source: Zhihu)

The required information for verification is easy to guess and puts Alipay user account at risk to anyone who has this information. This could include a user’s intimate friends, Taobao merchants, or even deliverymen if they are included in user’s Alipay contact list, quite possible given Alipay’s aggressive push into social networking.

The company claims it has raised its security level to fix the security flaw. To a retrieve password, Alipay users have to input a verification code that’s been sent to their registered phone number via text messages. For those users whose phones are not around or want to change mobile devices, Alipay said it would evaluate the risk in terms of network environment and whether the account information is intact.

The company also warned users to report loss of the account as soon as possible when receiving notifications about unauthorized logins.

Alipay said that users can only retrieve their login password, not their payment password. However, this is not a valid defense because even though the flaws only allow login, payments still can be made by scanning QR code where no payment password is required even if it’s only small sums.

In the upgraded version, password retrieval through selecting purchased items or friends works only for users who try to recover their passwords through their own previously registered devices.

Alipay’s bumpy way to social networking

This is yet another setback that Alipay has encountered in its social networking push. Just one month ago, the most commonly used payment app was been blasted by criticism for generating lewd content.

Many feared that integrating social networking features into a financial service would put customer assets and personal information at risk.

Although Alipay pledged to raise its security levels, lots of netizens remain skeptical. More than 2,400 people liked a harsh comment from one Weibo user:

“Still want to say dirty words, do your fucking job in payment, and stop dreaming about social networking.”

In response, all Alipay could say was: “You are right.”