Authorize.net calls passwords in clear text as part of url

[John Hennessy <johnh () CHARM NET>]

Recently we switched to authorize.net for credit card processing.
After a bit of work trying to fix a processing problem we were having.
I noticed that our login and password were in clear text as part of the
URL.

I contacted authorize.net regarding my concerns and there response was:


Date: Mon, 10 Jul 2000 08:41:11 -0700

 Greetings from Authorize.Net!

 Thank you for taking the time to write to us. I sent this issue up to the
developers, and here is their response:

 This aspect of the system seems to be a security risk at first glance,
but
upon further explanation, it becomes clear that this is no more an
 issue than anything else that can be accessed on someone's machine. He is
pointing out the fact that the password and the login can be found
 on a machine in the URL. This is absolutely true. But why would someone
without permission have access to this person's computer? Is this
 person accessing his virtual terminal from the public library? It's true
that if a person is looking over this person's shoulder as they login to
the
 merchant menu, then they are at risk. But that same security risk applies
to any confidential papers that may be stored on that person's
 computer, as well as any saved passwords for their banking, their email,
etc. To avoid having this be a problem, they must make sure their
 computer is in a safe area that isn't accessed by anyone whom they
wouldn't
want to know the password.

 Thank you for contacting our customer service group. Please let us know
if
there is anything we can do to help you in the future.

 Greg
 Authorize.Net
 Customer Support







The problem:
Example:

--------------------------------------
Taken from the page right after the login screen.


<MAP NAME="bottombar">

  <AREA SHAPE="RECT" ALT="Account Info" COORDS="0,0,83,12"
HREF="minterface.dll?statement&x_login=mylogin&x_password=mypass"
TARGET="main">

  <AREA SHAPE="RECT" ALT="Settings" COORDS="84,0,152,12"
HREF="minterface.dll?settingsmenu&x_login=mylogin&x_password=mypass"
TARGET="main">

  <AREA SHAPE="RECT" ALT="Stats" COORDS="153,0,202,12"
HREF="/common/comingsoon.html" TARGET="main">

  <AREA SHAPE="RECT" ALT="Support" COORDS="203,0,281,12"
HREF="minterface.dll?support&x_login=mylogin&x_password=mypass"
TARGET="main">

</MAP>




----------------------------------------------------

After some looking around I found that Netscape's netscape.hst file could
be searched
for "minterface.dll" with a text editor. It also contains the login and
password in clear text.

Example:

-----------------------------------------------------------------------
Taken from netscape.hst.

Batch Reports
https://secure.authorize.net/Interface/minterface.dll?batchreportmenu&x_login=mylogin&x_password=mypass

-----------------------------------------------------------------------

Under Internet Explorer the same thing can be obtained looking
through the history.

This means:

Anyone with knowledge of what machine is used to login to authorize.net
can obtain the clear text username and password. Another example would be
something
like the I-LOVE-YOU virus spread via email. This could then be used to
send back Netscape and Internet Explorer history files to an attacker.


I wanted to take the time to write something aimed at outlook and or
internet explorer.
To show how this could easily be exploited. Unfortunately I don't have the
time.

Possible Solutions:

Use the POST method instead of GET to pass arguments to cgi programs.
Or some form of encryption on the password and other sensitive data.



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
John C. Hennessy                        johnh () charm net
Systems Administrator                   410-558-3579
Charm Net, Inc.                         http://www.charm.net

"Do just once what others say you can't do, and you will never pay
attention to their limitations again." - James R. Cook
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-