Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Shopping Carts Using VeriSign's Payflow Link Payment System May Accept Invalid Credit Approval Transactions as Valid Transactions
|
Date: Jan 4 2002
|
Impact: Modification of user information
|
Vendor Confirmed: Yes
|
Version(s): tested with Miva Merchant 3.x
|
Description: A vulnerability was reported in the Miva Merchant shopping cart's integration of VeriSign's Payflow Link payment system. The shopping
cart software may accept an invalid credit approval transaction as valid. Other carts may also be affected.
It is reported that there is no authentication on VeriSign Payflow Link payment approval indications as accepted by the Miva Merchant
shopping cart. A remote user can cause the shopping cart software to accept a transaction as approved by Payflow Link when it has
not been approved.
Any user of shopping cart software that does not validate payment via their VeriSign Payflow Link account
may be vulnerable.
Both VeriSign and Miva Merchant have reportedly been notified.
Some demonstration exploit steps are described
in the Source Message.
[Editor's Note: This appears to be a system integration flaw due to the integration of the two systems
and the manner in which the shopping cart uses the VeriSign system rather than a bug in the VeriSign system itself. The design
used in the integration of these two systems inherently does not provide any validation authentication from the payment system to
the shopping cart. However, because some users may have the expectation of security, this is reported as a vulnerability in VeriSign's
system.]
|
Impact: A remote user of Miva Merchant shopping cart software (and possibly other shopping carts) can cause the shopping cart to accept any
payment validation transaction as approved by Payflow Link, regardless of whether it has been approved or not.
|
Solution: No vendor solution was available at the time of this entry. However, merchants can validate payment via their VeriSign Payflow Link account before shipping orders.
|
Vendor URL: www.verisign.com/products/payflow/link/index.html (Links to External Site)
|
Cause: Authentication error, State error
|
Reported By: "Keith Royster" <keith@theroysters.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 3 Jan 2002 09:39:43 -0500
From: "Keith Royster" <keith@theroysters.com>
Subject: Vuln in Verisign PayFlow Link payment service
|
Hello! I'm very new to this list and am looking for advice on how and where
to properly post information regarding a vulnerability I have identified
with Verisign's PayFlow Link credit card payment service. I would
ultimately like for this information to get into the Vuln Database at
BugTraq, but do not know the proper procedures and requirements for getting
it there. Below is a brief(?) description of the service and the exploit...
THE SERVICE: The final checkout page of various online shopping cart
applications presents the shopper with a form asking for credit card acct#,
exp date, etc. When the shopper submits the form, the data is sent directly
to the vendor's PayFlow Link account at Verisign for validation. If the
credit card information if validated, Verisign authorizes payment and
submits the data back to the vendors shopping cart application. When the
vendor's shopping app receives this data, it assumes payment was authorized
and finalizes the order for the vendor to fill and ship it.
EXPLOIT #1: On the final checkout page, save the HTML to disk and edit the
ACTION= portion of the form to direct the data back at the shopping cart
instead of to verisign. The exact URL should match that which verisign
would submit a validated order to. Save the edited HTML, reload in your
browser, and submit bogus credit card info with your order. Since there is
no authentication between Verisign and the shopping application, the
shopping app will think that the card was authorized, and so it will
finalize the order.
EXPLOIT #2: Sign up for a free demo PayFlow Link account at Verisign. While
in demo mode, this account will "validate" almost any credit card info
submitted to it. This account should be configured to send the confirmation
information to the exploitee's shopping system. Then perform a similar HTML
edit of the final checkout page as above, only this time change the hidden
form tag to direct the payment to your demo PayFlow Link account. Save the
HTML, reload in your browser, and submit bogus credit card info.
THE RISK: Vendors that do no validate payment in their Verisign acct prior
to shipment, or those that offer immediate downloads of software upon
payment, are vulnerable to theft.
WHAT I KNOW: I have successfully performed both exploits on a Miva Merchant
3.x shopping cart. I have not had the opportunity to test other shopping
cart applications or other versions of Merchant. I have communicated this
information to both Miva and Verisign. Verisign tested and confirmed both
exploits as well. They then responded that they do not intend to fix it -
that instead they will educate their customers regarding the risks and
encourage them to upgrade to the more secure (and costly) PayFlow Pro
product.
WHAT I DON'T KNOW: I don't know what other shopping cart applications (if
any, besides Miva's) are vulnerable. But I am highly suspicious that others
are. I also have not verified any other version of Miva Merchant besides
3.x. Merchant 4.x is the most current version, but I think it's PayFlow Link
module is the same and so it should be vulnerable as well. I would be
interested in working with others that have access to other shopping cart
apps that can interface with PayFlow Link.
TIA!
|
|
Go to the Top of This SecurityTracker Archive Page
|
