At Black Hat 2019, researcher Joshua Maddux found that security vulnerabilities can arise when websites add online payment integrations like Apple Pay. To be clear, he says it’s not an issue with Apple Pay itself, but rather how websites add it. And other third-party integrations can be similarly affected.
The flaws fit into a well-known type of vulnerability called “server side request forgery,” which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month’s massive Capital One breach. Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access.