[NEWS] VeriSign "PayFlow Link" Payment Service Security Vulnerability

From: support@securiteam.com
Date: 01/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  9 Jan 2002 20:51:25 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  VeriSign "PayFlow Link" Payment Service Security Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.verisign.com/products/payflow/link/> VeriSign's "PayFlow
Link" payment service contains a flaw that could cause certain
applications that rely blindly on results from the submitted forms to
accept payments for invalid credit card numbers.

DETAILS

The final checkout page of various online shopping cart applications
presents the shopper with a form asking for credit card acct#, exp date,
etc. When the shopper submits the form, the data is sent directly to the
vendor's PayFlow Link account at VeriSign for validation. If the credit
card information is validated, VeriSign authorizes payment and submits the
data back to the vendors shopping cart application. When the vendor's
shopping app receives this data, it assumes payment was authorized and
finalizes the order for the vendor to fill and ship it.

Exploit #1:
On the final checkout page, save the HTML to disk (keeping browser open to
maintain session) and edit the ACTION= portion of the form to direct the
data back at the shopping cart instead of to VeriSign. The exact URL
should match that which VeriSign would submit a validated order to. Save
the edited HTML, reload in your browser, and submit bogus credit card info
with your order. Since there is no authentication between VeriSign and the
shopping application, the shopping app will think that the card was
authorized, and so it will finalize the order.

Exploit #2:
Sign up for a free demo PayFlow Link account at VeriSign. While in demo
mode, this account will "validate" almost any credit card info submitted
to it as long as the card# meets basic format, expiration date hasn't
expired, and amount <= $100. This demo account should be configured to
send the confirmation information to the target's shopping system. Then
perform a similar HTML edit of the final checkout page as above, only this
time change the hidden form tag to direct the payment to the demo PayFlow
Link account. Save the HTML, reload in your browser, and submit bogus
credit card info.

Impact:
Vendors that do no validate payment in their VeriSign acct prior to
shipment, or those that offer immediate downloads of software upon
payment, are vulnerable to theft.

Workaround:
In a communication from VeriSign, they recommend upgrading to their more
secure PayFlow Pro product if you have security concerns with PayFlow
Link.

Vendor response:
"The exploits that you are talking about are inherent to the HTTP
protocol. There is no way for us to get around them. We could use an
http_reffer on the post but a good hack can spoof that too.

The only way you can be sure is by using dedicated sockets on SSL and that
is what PayFlow Pro does. In addition, the PayFlow Pro client has a cert
folder in the SDK that validates that you are talking to VeriSign on the
other end and not someone spoofing the address of the transaction servers.

PayFlow Link only allows Sale, Authorization, and Delay Capture
transactions to be posted to it so effectively the only malicious thing
you could do is tell someone that more sales have come through their
shopping cart program than really have. PayFlow Link merchants should use
their carts to Authorize transactions then capture the transactions via
the secure VeriSign Administrative site and they should check their carts
results against what appear in the VeriSign administrative site because
VeriSign is the secure connection to the card issuing banks, not their
shopping carts. Because of the HTTP protocol, you might be able to
intercept a transaction on a carts page and change the amounts etc before
it gets to the VeriSign transaction broker where it secure but again this
is an HTTP issue.

You cannot post credits via PayFlow Link so you cannot really exploit
PayFlow Link to commit fraud if that is what you ultimately want to get
at. If someone sends extra confirmations back to a cart the customer can
always contact the merchant and resolve the situation assuming the
merchant uses the authorization followed by capture via the VeriSign
Manager method."

ADDITIONAL INFORMATION

The information has been provided by <mailto:keith@theroysters.com> keith
royster and <mailto:vps-support@verisign.com> vps-support.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages