Vulnerability Development mailing list archives
[Fwd: Re : Fw: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE (#5947-000093-7546\939465)]
From: Blue Boar <BlueBoar () thievco com>
Date: Mon, 07 Jan 2002 10:05:52 -0800
Date: Sat, 5 Jan 2002 20:26:15 -0800 From: vps-support <vps-support () verisign com> To: "'keith () theroysters com'" <keith () theroysters com>, "'nbailey () hotmail com'" <nbailey () hotmail com>, "'bugtraq () securityfocus com'" <bugtraq () securityfocus com> vps-support wrote:
Hi, The exploits that you are talking about are inherent to the HTTP protocol. There's no way for us to get around them. We could use an http_reffer on the post but a good hack can spoof that to. Basically the only way you can be totally sure is by using dedicated sockets on SSL and that is what Payflow Pro does. In addition the Payflow Pro client has a cert folder in the SDK that validates that you are talking to VeriSign on the other end an not someone spoofing the address of the transaction servers. Payflow Link only allows Sale, Authorization, and Delay Capture transactions to be posted to it so effectively the only malicious thing you could do is tell someone that more sales have come through their shopping cart program than really have. Payflow Link merchants should use their carts to Authorize transactions then capture the transactions via the secure VeriSign Administrative site and they should also check their carts results against what appear in the VeriSign administrative site because VeriSign is the secure connection to the card issuing banks, not their shopping carts. Because of the HTTP protocol you might be able to intercept a transaction on a carts page and change the amounts etc before it gets to the VeriSign transaction broker where it secure but again this is an HTTP issue. You can't post credits via Payflow Link so you can't really exploit Payflow Link to commit fraud if that's what you ultimately want to get at. If someone sends extra confirmations back to a cart the customer can always contact the merchant and resolve the situation assuming the merchant uses the authorization followed by capture via the VeriSign Manager method. Thank You, Dan G. VeriSign Payment Services Support ************************************************************************ To avert risking the security of valuable corporate data, Well-prepared organizations should adopt a hacker's "outside-in" perspective to identify weaknesses that elude traditional security solutions. Now, VeriSign and Qualys are working together to offer an automated service designed to track and manage your network's vulnerabilities from the OUTSIDE - the only reliable vantage point - with nothing to install, nothing to configure. To get started, go to: <http://www.verisign.com/cgi-bin/go.cgi?a=w175248930810000> ************************************************************************ -----Original Message----- From: support Sent: Friday, January 04, 2002 10:21 PM To: vps-support Subject: Re : Fw: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE (#5947-000093-7546\939465) (#5947-000093-7546\939465) ORIGINAL MESSAGE: ----------------- From: nbailey () hotmail com Posted At: 15:56:01.530 01/04/2002 Posted To: support () verisign com Subject: Fw: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE Please investigate and forward to the appropriate Verisign employees... ----- Original Message ----- From: "keith royster" <keith () theroysters com> To: <bugtraq () securityfocus com> Sent: Friday, January 04, 2002 2:24 PM Subject: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILUREVERISIGN PAYFLOW PAYMENT SERVICE SECURITY FAILURE PAYFLOW LINK SERVICE DESCRIPTION: The final checkout page of variousonlineshopping cart applications presents the shopper with a form asking forcreditcard acct#, exp date, etc. When the shopper submits the form, the data issentdirectly to the vendor's PayFlow Link account at Verisign for validation.Ifthe credit card information is validated, Verisign authorizes payment and submits the data back to the vendors shopping cart application. When the vendor's shopping app receives this data, it assumes payment wasauthorized andfinalizes the order for the vendor to fill and ship it. EXPLOIT #1: On the final checkout page, save the HTML to disk (keepingbrowseropen to maintain session) and edit the ACTION= portion of the form todirectthe data back at the shopping cart instead of to verisign. The exact URL should match that which verisign would submit a validated order to. Savetheedited HTML, reload in your browser, and submit bogus credit card infowithyour order. Since there is no authentication between Verisign and theshoppingapplication, the shopping app will think that the card was authorized, andsoit will finalize the order. EXPLOIT #2: Sign up for a free demo PayFlow Link account at Verisign.While indemo mode, this account will "validate" almost any credit card infosubmittedto it as long as the card# meets basic format, expiration date hasn'texpired,and amount <= $100. This demo account should be configured to send the confirmation information to the exploitee's shopping system. Then performasimilar HTML edit of the final checkout page as above, only this timechangethe hidden form tag to direct the payment to the demo PayFlow Linkaccount.Save the HTML, reload in your browser, and submit bogus credit card info. THE RISK: Vendors that do no validate payment in their Verisign acct priortoshipment, or those that offer immediate downloads of software uponpayment, arevulnerable to theft. THE FIX: In a communication from Verisign, they recommend upgrading totheirmore secure PayFlow Pro product if you have security concerns with PayFlowLink.WHAT I KNOW: I have successfully performed both exploits on a MivaMerchant3.x shopping cart. Due to a lack of accessability, I have not testedothershopping cart applications or other versions of Miva Merchant. I have communicated this information to both Miva and Verisign. Verisign testedandconfirmed both exploits as well. They then responded that they will workwithMiva to work towards better security, although they did not offer any timelines. They did not mention working with other vendors of othershoppingcarts, nor did they admit the problem exists with other shopping cartapps.Their only current solution is to educate their customers regarding therisksand encourage them to upgrade to the more secure (and costly) PayFlow Pro product. WHAT I DON'T KNOW: I don't know what other shopping cart applications (ifany,besides Miva's) are vulnerable. But I am highly suspicious that othersarebecause the problem seems to be that the PayFlow Link app does not offeranycredentials so that the receiving shopping cart app can validate thesource ofthe data. I also have not verified any other version of Miva Merchantbesides3.x. Merchant 4.x is the most current version, but I think it uses thesamePayFlow Link module and so it should be vulnerable as well. I would be interested in working with others that have access to other shopping cartappsthat can interface with PayFlow Link. PS - my first post to bugtraq, so I hope I did it right. Please let meknow ifI've left anything off. -- keith royster keith () theroysters com
Current thread:
- [Fwd: Re : Fw: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE (#5947-000093-7546\939465)] Blue Boar (Jan 07)