Tmall Demo Payment Vulnerability in Order Processing Logic

A payment vulnerability has been identified in the Tmall Demo shopping cart application, specifically in versions prior to May 5, 2025. The issue resides within the Payment Identifier Handler component, particularly in the file '/tmall/order/pay/'. This vulnerability allows users to exploit a logical error in the purchase function, enabling them to bypass payment for items, effectively creating a 'zero-dollar purchase' scenario. Such an exploit could lead to significant economic losses for merchants, damage to brand reputation, and disruption of market competition.

Impact

Exploitation of this vulnerability allows for unauthorized zero-dollar purchases, causing potential economic losses for merchants and disrupting normal market competition.

Reproduction

To reproduce this vulnerability, add any product to the shopping cart to generate an order number. Then, intercept the payment process and replace the order number in the payment data packets with the one from the generated order. After sending the modified packets, the order will be processed without payment, exploiting the vulnerability.

Remediation

It is recommended to conduct a thorough code review to address the specific issues causing this vulnerability. Additionally, strengthening server-side verification of key data such as prices and orders can help prevent client-side tampering. Updating security policies to limit abnormal trading behaviors, like frequent low-price orders, is also advisable.