Kabum corrects flaw in the PIX that showed data from other customers

A failure to implement the PIX payment system in December 2020 at the Kabum online store allowed an attacker to view other customers’ data. Thus, it was possible to track which order was placed, amount, full name and CPF of the buyer, date and number of the order. When alerted about the problem, Kabum made the immediate correction – and there are no reports that the breach was exploited maliciously.

Kabum was alerted to the problem, which was corrected a few hours after the alert

According to an anonymous source, the problem was in the QR Code string used for PIX payment. “Kabum follows the order number which is sequential, so it is easy to find others. And then, using the QR Code data, just follow the thread to the payer’s personal data and what he asked for ”, warned the source.

When asked about the encryption of this information, the source replied: “Cryptography does not bring secrecy when there is no secret element; the encryption of Pix data guarantees authenticity and a chain of accountability, but that is all ”. The online store adds: “We reinforce that the system was implemented by KaBuM! following all the recommendations and security protocols requested by the Central Bank ”.


  • Kabum was alerted by TecMundo on the problem, which was corrected a few hours after the December 18 alert.

According to the documents received, the vulnerability occurred in payments made by PIX Itaú in a specific period. Kabum denies that the flaw was exploited by cyber criminals.

qrError was in the QR Code

Kabum’s positioning

As with all company developments, especially an innovation like PIX, security and best practice protocols are adopted in full. Thus, we reinforce that the system was implemented by KaBuM! following all recommendations and security protocols requested by the Central Bank.

In view of the possibility described by the TecMundo, on December 18, 2020, comprising the first days of operation of the service, both the development and security teams of KaBuM! as those of the financial institutions supplying the PIX were promptly called upon to carry out new tests and eventual corrections, in order to avoid any systemic behavior different from that expected by the established protocols, as well as to ensure that there was no data leakage or any type of damage to the our clients.

Within the continuous improvements and with the utmost caution, still regarding Tecmundo contact, an update was previously carried out so that all data contained in the Pix key are automatically deleted, both by KaBuM! and by the Central Bank after its expiration, which occurs in just 30 minutes. This largely mitigates any data exposure.

It is important to highlight that, as it is a new system, it is natural that Pix is ​​subject to improvements. An example of this was the episode witnessed on February 11, 2021, involving fluctuations in the Central Bank’s means of payment platform at financial institutions across the country. However, such improvement needs do not overlap with the importance of this service to Brazilian consumers and companies.

In our e-commerce, PIX is completing two months, running quickly and safely, without any complications since its implementation. The new service even ranks second in preference for the payment methods used by our customers.

Again, KaBuM! thanks immensely for the professionalism of TecMundo and its source, as well as the opportunity for clarification. We remain at your service.

How to report to TecMundo

Leave a Comment