Vulnerability Development mailing list archives

Re: Vuln in Verisign PayFlow Link payment service

From: "Keith Royster" <keith () homebrew com>
Date: Thu, 3 Jan 2002 22:08:25 -0500

Perhaps a fix for VeriSign would be to passback a secret code

(configurable

through the PayFlow Link admin panel) that does not originate from a cart
input value, but is stored and sent from PayFlow. Then a simple 'if'
statement in the cart software could weed out the bad along with an e-mail
sent to the admin.


I suggested this very idea to Verisign when I initially contacted them. My
suggestion was to use the account password as the 'secret code' (perhaps
encrypted?), but any shared secret would do as long as it is only passed
directly from verisign back to the shopping cart app.

Current thread:

Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 03)
  - Re: Vuln in Verisign PayFlow Link payment service jon schatz (Jan 03)
  - Re: Vuln in Verisign PayFlow Link payment service Doru Petrescu (Jan 04)
    - Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 05)
    - Re: Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 05)
    - Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 05)
  - Re: Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 04)
- <Possible follow-ups>
- RE: Vuln in Verisign PayFlow Link payment service Erwin Geirnaert (Jan 04)
  - RE: Vuln in Verisign PayFlow Link payment service keith royster (Jan 04)