http://mivo.truxoft.com
MIVO!
miva beyond limits

MIVA^®  SECURITY:  Verisign's PayFlow Link Security Flaw

by Keith Royster, 01/04/2002

1. Miva Merchant Payment Modules
2. Keith's post to Miva Merchant User List
3. Keith's post to Bugtraq
4. Useful links
5. User Comments

top

Keith Royster described a security flaw in Verisign's PayFlow Link payment module for Miva Merchant. This module is the only native Merchant payment module not using MvCOMMERCE libraries for secure communication with the remote gateway. Although other native Merchant's payment modules are not affected with this security flaw, there may be other 3rd party payment modules that could be exploited in similar way as the Verisign's Payflow Link.

top

Original post in Miva Merchant User list archive

For those of you using Verisign's PayFlow Link application with Miva Merchant for processing credit cards, I thought you should know that I believe I have found a vulnerability with this service. I contacted both Miva and Verisign on 12/14/01 with details of the exploit. Miva reviewed it but did not respond (I don't think the fault is theirs anyway, so that's expected). Verisign responded that there is no easy fix, and that they recommend upgrading to PayFlow Pro.

THE VULNERABILITY: In a nutshell, PayFlow Link provides no method for identifying / authenticating itself when it returns an approved/validated order to Miva Merchant. So through very basic HTML manipulation of the final checkout page of your Merchant shopping cart, a hacker could redirect his/her order to a different PayFlow Link account for validation, or could even bypass Verisign entirely. I posted more detail to the bugtraq mailing list today if you are interested.

I have verified this exploit using Miva Merchant 3.x, and so has Verisign. I have not tested Merchant 4.x, but assume it is vulnerable as well for two reasons: (1) I think the 4.x PayFlow Link modules are similar, if not the same, as 3.x; and (2) I think the vulnerability is due to the fact that PayFlow Link offers no credentials back to the shopping cart to validate itself, so all shopping carts, regardless of vendor and version, are vulnerable.

THE RISK: The result is that Miva Merchant thinks payment has been properly authorized (when it really hasn't) and so it finalizes the order for you to fill and ship. If you (the vendor) assume that payment is waiting in your Verisign account and so you ship the order without checking first, you may be vulnerable to theft. Similarly, if you offer software for immediate download after payment validation from PayFlow Link, you are also vulnerable to theft.

THE SOLUTION: After reviewing the information I sent to Verisign, their only current solution is to have you upgrade to their more secure PayFlow Pro product. They say that they will continue to work with Miva towards a solution, but offer no specifics. They also imply that Miva's implementation if faulty, but then admit that "any system relying on HTTP posting is prone to the security vulnerability" that I described for them.

keith royster

top

Original post at http://securityfocus.com/archive/1/248459

VERISIGN PAYFLOW PAYMENT SERVICE SECURITY FAILURE

PAYFLOW LINK SERVICE DESCRIPTION: The final checkout page of various online shopping cart applications presents the shopper with a form asking for credit card acct#, exp date, etc. When the shopper submits the form, the data is sent directly to the vendor's PayFlow Link account at Verisign for validation. If the credit card information is validated, Verisign authorizes payment and submits the data back to the vendors shopping cart application. When the vendor's shopping app receives this data, it assumes payment was authorized and finalizes the order for the vendor to fill and ship it.

EXPLOIT #1: On the final checkout page, save the HTML to disk (keeping browser open to maintain session) and edit the ACTION= portion of the form to direct the data back at the shopping cart instead of to verisign. The exact URL should match that which verisign would submit a validated order to. Save the edited HTML, reload in your browser, and submit bogus credit card info with your order. Since there is no authentication between Verisign and the shopping application, the shopping app will think that the card was authorized, and so it will finalize the order.

EXPLOIT #2: Sign up for a free demo PayFlow Link account at Verisign. While in demo mode, this account will "validate" almost any credit card info submitted to it as long as the card# meets basic format, expiration date hasn't expired, and amount <= $100. This demo account should be configured to send the confirmation information to the exploitee's shopping system. Then perform a similar HTML edit of the final checkout page as above, only this time change the hidden form tag to direct the payment to the demo PayFlow Link account. Save the HTML, reload in your browser, and submit bogus credit card info.

THE RISK: Vendors that do no validate payment in their Verisign acct prior to shipment, or those that offer immediate downloads of software upon payment, are vulnerable to theft.

THE FIX: In a communication from Verisign, they recommend upgrading to their more secure PayFlow Pro product if you have security concerns with PayFlow Link.

WHAT I KNOW: I have successfully performed both exploits on a Miva Merchant 3.x shopping cart. Due to a lack of accessability, I have not tested other shopping cart applications or other versions of Miva Merchant. I have communicated this information to both Miva and Verisign. Verisign tested and confirmed both exploits as well. They then responded that they will work with Miva to work towards better security, although they did not offer any timelines. They did not mention working with other vendors of other shopping carts, nor did they admit the problem exists with other shopping cart apps. Their only current solution is to educate their customers regarding the risks and encourage them to upgrade to the more secure (and costly) PayFlow Pro product.

WHAT I DON'T KNOW: I don't know what other shopping cart applications (if any, besides Miva's) are vulnerable. But I am highly suspicious that others are because the problem seems to be that the PayFlow Link app does not offer any credentials so that the receiving shopping cart app can validate the source of the data. I also have not verified any other version of Miva Merchant besides 3.x. Merchant 4.x is the most current version, but I think it uses the same PayFlow Link module and so it should be vulnerable as well. I would be interested in working with others that have access to other shopping cart apps that can interface with PayFlow Link.

PS - my first post to bugtraq, so I hope I did it right. Please let me know if I've left anything off.

--
keith royster
keith@theroysters.com

top

top

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2010