[23714] in bugtraq
Re: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE
daemon@ATHENA.MIT.EDU (David Frascone)
Sat Jan 5 21:40:31 2002
Date: Sat, 5 Jan 2002 19:21:53 -0600
From: David Frascone <dave@frascone.com>
To: bugtraq@securityfocus.com
Message-ID: <20020106012153.GA3221@newman.frascone.com>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
It really depends on the application. The cart I maintain gets the info
back from verisign via the post, *and* an e-mailed recript. Also, we
routinely verify large orders at verisign directly.
I'll admit that it's a hole, I just don't think it's a very big one.
Just my $.02 worth,
Dave
On Friday, 04 Jan 2002, keith royster wrote:
> PAYFLOW LINK SERVICE DESCRIPTION: The final checkout page of various online
> shopping cart applications presents the shopper with a form asking for credit
> card acct#, exp date, etc. When the shopper submits the form, the data is sent
> directly to the vendor's PayFlow Link account at Verisign for validation. If
> the credit card information is validated, Verisign authorizes payment and
> submits the data back to the vendors shopping cart application. When the
> vendor's shopping app receives this data, it assumes payment was authorized and
> finalizes the order for the vendor to fill and ship it.
