Pix, also used as a messaging app, can send HTML code | Finance

Since the beginning of the year, there have been some curious applications for the Pix: there are those who define themselves as “pixsexual” and share their key to receive calls (and money) from followers; and there are those who send transfers of R $ 0.01 with messages to the loved one. The annotations feature also has a dangerous side: it is possible to send HTML code to contacts, potentially making room for scams.

Pix (Image: Disclosure / Central Bank)

Pix (Image: Disclosure / Central Bank)

In a statement to the Tecnoblog, the Central Bank explains that it has included the obligation for Pix participants to only admit secure HTML tags in the text of the annotations. The rule began to apply on January 15, 2021.

This is stated in the Minimum Requirements for User Experience, which are part of Pix’s regulations. “The‘ Description ’field should be sanitized and only allow secure HTML tags,” says the most recent version of the document.

How Pix annotations work

O Tecnoblog tested Pix’s notes at 10 financial institutions, including Itaú, Bradesco, Santander, Nubank, Caixa, Banco do Brasil, Inter and C6 Bank. In our analysis, we note that the implementation of this feature is quite inconsistent.

It is possible to send HTML code through Pix via Nubank, Bradesco, Banco do Brasil and Caixa. That is, the recipient can receive something like the example below:

Clique aqui

If the bank’s app rendered this, that text would become a clickable link that could lead the user to a phishing site to steal data.

Of the 10 banks we analyzed, none convert HTML to clickable links. However, the potential for abuse still remains; there are 734 institutions accredited to Pix, and each one implements this function differently.

BC may punish banks that do not display Pix notes

Nubank displays HTML code sent via Pix; Itaú removes characters (Image: Reproduction)

Nubank displays HTML code sent via Pix; Itaú removes characters (Image: Reproduction)

The best would be to do the same as Itaú, which sends annotations via Pix removing characters like <, / and = used to generate links. That is, the example above would reach the recipient only as:

a href="https://tecnoblog.net/golpe.com"Clique aquia

This assuming that the note will reach the recipient. Caixa and Santander simply do not receive messages via Pix; while Inter and C6 do not receive or send this type of data.

The BC states to the Tecnoblog that all institutions with Pix must send the message if it is inserted at the time of initiation. “Participants who do not comply with this requirement are subject to the penalties provided for in the Pix Regulation,” says the statement.

Bank / fintech Send a message via Pix? Do you receive a message via Pix?
Nubank yes, send complete HTML code yes, including HTML code (but not clickable)
Bradesco yes, send complete HTML code yes, but it removes characters like <, > e =
Bank of Brazil yes, send complete HTML code yes, but it removes characters like <, > e =
Cashier yes, send complete HTML code not
Itaú yes, but it removes characters like <, > e = yes, but it removes characters like <, > e =
PicPay yes, but remove text within <> tags yes, but it removes characters like <, > e =
Santander yes, but convert not
Inter not not
C6 not not
Neon not not

The Central Bank makes few technical requirements for Pix notes. As the official documentation explains, the message is contained in the “infoAdditional” field, of the string type, which can be up to 72 characters long (depending on the size of the Pix key). Its use is optional, that is, the customer does not need to fill in this field.

Spam via Pix?

Pix (Image: Disclosure / Central Bank)

Pix (Image: Disclosure / Central Bank)

The message functionality was designed for something much simpler, like “my part of the barbecue” or “a gift for you”. However, use in the real world probably exceeded the scope that BC imagined.

For example, at the beginning of the month, we had a report by Matheus Siqueira on Twitter: “my cousin broke up with his girlfriend because she cheated on him, then he blocked EVERYTHING; to be able to talk to him, she started sending several 1 cent Pix with messages apologizing ”.

The BC explained to the leaf which will not give you the option to block payments to avoid this type of situation: “what the user can do is configure the application of the institution in which he keeps the account so as not to receive notification”.


This might open up the possibility of spam via Pix, especially since the BC requires banks to show the description that accompanies each transaction. However, as shown above, some customers still do not receive these messages.

In addition, certain people are after exactly this type of interaction. There are those who reveal their Pix key – such as social security number, email or cell phone number – to receive money and even messages of possible romantic interests. They are called “pixsexuals”.

However, the BC warns the CNN Brazil that “Pix is ​​a means of payment, not a social network”. The agency also asks for caution when sharing Pix keys on the internet, as they may involve sensitive personal data. The recommendation is to use a random key, which is a little less practical, but is more secure.

Leave a Comment