[23703] in bugtraq
VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE
daemon@ATHENA.MIT.EDU (keith royster)
Fri Jan 4 18:45:38 2002
Message-ID: <1010175847.3c360f67684d2@alpha.cesmail.net>
Date: Fri, 4 Jan 2002 15:24:07 -0500
From: keith royster <keith@theroysters.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
VERISIGN PAYFLOW PAYMENT SERVICE SECURITY FAILURE
PAYFLOW LINK SERVICE DESCRIPTION: The final checkout page of various online
shopping cart applications presents the shopper with a form asking for credit
card acct#, exp date, etc. When the shopper submits the form, the data is sent
directly to the vendor's PayFlow Link account at Verisign for validation. If
the credit card information is validated, Verisign authorizes payment and
submits the data back to the vendors shopping cart application. When the
vendor's shopping app receives this data, it assumes payment was authorized and
finalizes the order for the vendor to fill and ship it.
EXPLOIT #1: On the final checkout page, save the HTML to disk (keeping browser
open to maintain session) and edit the ACTION= portion of the form to direct
the data back at the shopping cart instead of to verisign. The exact URL
should match that which verisign would submit a validated order to. Save the
edited HTML, reload in your browser, and submit bogus credit card info with
your order. Since there is no authentication between Verisign and the shopping
application, the shopping app will think that the card was authorized, and so
it will finalize the order.
EXPLOIT #2: Sign up for a free demo PayFlow Link account at Verisign. While in
demo mode, this account will "validate" almost any credit card info submitted
to it as long as the card# meets basic format, expiration date hasn't expired,
and amount <= $100. This demo account should be configured to send the
confirmation information to the exploitee's shopping system. Then perform a
similar HTML edit of the final checkout page as above, only this time change
the hidden form tag to direct the payment to the demo PayFlow Link account.
Save the HTML, reload in your browser, and submit bogus credit card info.
THE RISK: Vendors that do no validate payment in their Verisign acct prior to
shipment, or those that offer immediate downloads of software upon payment, are
vulnerable to theft.
THE FIX: In a communication from Verisign, they recommend upgrading to their
more secure PayFlow Pro product if you have security concerns with PayFlow Link.
WHAT I KNOW: I have successfully performed both exploits on a Miva Merchant
3.x shopping cart. Due to a lack of accessability, I have not tested other
shopping cart applications or other versions of Miva Merchant. I have
communicated this information to both Miva and Verisign. Verisign tested and
confirmed both exploits as well. They then responded that they will work with
Miva to work towards better security, although they did not offer any
timelines. They did not mention working with other vendors of other shopping
carts, nor did they admit the problem exists with other shopping cart apps.
Their only current solution is to educate their customers regarding the risks
and encourage them to upgrade to the more secure (and costly) PayFlow Pro
product.
WHAT I DON'T KNOW: I don't know what other shopping cart applications (if any,
besides Miva's) are vulnerable. But I am highly suspicious that others are
because the problem seems to be that the PayFlow Link app does not offer any
credentials so that the receiving shopping cart app can validate the source of
the data. I also have not verified any other version of Miva Merchant besides
3.x. Merchant 4.x is the most current version, but I think it uses the same
PayFlow Link module and so it should be vulnerable as well. I would be
interested in working with others that have access to other shopping cart apps
that can interface with PayFlow Link.
PS - my first post to bugtraq, so I hope I did it right. Please let me know if
I've left anything off.
--
keith royster
keith@theroysters.com
