Alibaba’s Latest Payments Innovation: Selfie-Powered Transactions
As mobile payments become more a part of the business landscape, the question of how to make them safer is top of mind. Alibaba — the vast Chinese ecommerce company that closed out 2014 with the biggest U.S.-based IPO to date — has a solution.
This week, Alibaba founder Jack Ma spoke at the CeBit conference in Hanover, Germany and demonstrated a new service called “Smile to Pay” that would give consumers a password-free way to shop online. The service would allow users to make a purchase from their mobile phone, then require them to snap a selfie to authenticate the purchase using Alibaba’s facial recognition technology.
“Today we’ll show you a new technology, how in the future people will buy things online,” said Ma of this latest innovation, which will first be rolled out in China.
Alibaba owns an online payment platform called Alipay, which has a complicated back story. It was launched in 2004 to be used for Taobao, an online marketplace comparable to eBay. In 2011, it was spun off into its own entity under the control of a company called ANT Financial (which in turn was founded by the Alibaba Group).
Ma still has a 46 percent stake in Alipay, which boasts more than 100 million mobile users (over 300 million users as of December ’14) and has hosted over 2.78 billion transactions on the Alipay Wallet app.
Alipay is currently accepted by a number of Western-based retailers including Bloomingdale’s, Macy’s and Saks Fifth Avenue, thanks to a relationship with ecommerce platforms such as ShopRunner.
Flaw in WordPress caching plug-in could affect over 1 million sites
WordPress websites are a popular target for hackers and many of them are compromised due to plug-in vulnerabilities. Just on Tuesday, the FBI warned that attackers sympathetic to the extremist group ISIS—also known as ISIL—have defaced many websites by exploiting known vulnerabilities in WordPress plug-ins.
The persistent cross-site scripting (XSS) flaw in WP Super Cache can be exploited by sending a specifically crafted query to a WordPress website with the plug-in installed, according to Marc-Alexandre Montpas, a senior vulnerability researcher at Web security firm Sucuri.
The attack could be used to inject malicious scripts into a page that lists the files cached by the plug-in, and which is accessible only to administrators. As such, in order for the malicious code to be executed, the page must be viewed by an administrator.
“When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.,” Montpas, who found the vulnerability, said Tuesday in a blog post.
WP Super Cache can be used to optimize WordPress sites by converting dynamically generated pages into static HTML files that are then served to visitors. This can be very helpful for websites that receive a lot of traffic, because it reduces server resource and bandwidth consumption.
However, replacing PHP-generated pages with static, cached copies has its downfalls. The biggest one is that whenever there are changes to a page, the corresponding cached file needs to be regenerated.
As outlined in an older bug entry, after making tweaks to a page, administrators might need to look at the list of cached files to know which one to delete. So, the administrative action needed to exploit the vulnerability found by Montpas is not uncommon.
According to statistics from the official WordPress plug-in directory, the WP Super Cache plug-in has over one million active installations. In order to be protected, WordPress site owners should upgrade the plug-in to the latest version—1.4.4 at the time of this article.