Technology industry watchers have castigated payments processing service Worldpay for potential operational vulnerabilities. Worldpay is billed as a secure payment gateway for businesses that incorporates the worlds of online payments, card machines and telephone payments.
The firm itself proposes that it delivers a secure proprietary technology platform to enable ‘merchants' to accept a vast array of payment types, across multiple channels, anywhere in the world.
It is precisely the Worldpay Merchant Portal that Randy Westergren has a problem with. As a senior software developer at XDA Developers, Westergren claims he has found “multiple vulnerabilities” in the Worldpay Merchant Portal. He further states that this is not the first time he has uncovered compliance issues with this kind of payment gateway technology.
Where the vulnerability arises
Westergren explains that he encountered the concerns when working with setup and testing inside the Worldpay API and Merchant Center web portal.
One of the functions of the Merchant Center is to lookup orders and associated transaction details. The real problem arose when the merchant viewed a customer's credit card transaction details in the Merchant Portal.
“This request was vulnerable such that any authenticated user of the system could view the credit card transactions of any other merchant's business, i.e. a simple IDOR (Insecure Direct Object References). While the full credit card number is not displayed in this interface, the last four digits and the expiration date are [visible] and this is valuable information for an experienced attacker,” explained Westergren.
This is not the end of the issue list highlighted by Westergren. He further details a similar IDOR vulnerability in the online Merchant Center found when using an interface through which a merchant can configure a WebPay form. This is essentially a preconfigured form used on merchant sites to accept credit cards (posting directly to Worldpay's servers).
The implications of this vulnerability are arguably much more serious, he argues. This is because an attacker could feasibly change the “Post-back” URL to one they controlled, meaning that they would have received verbose details of payment transactions nearly immediately after they occurred.
How dangerous could this be?
Speaking directly to SCMagazineUK.com in light of this story, Westergren said that the dangers from an attacker having control over the hosted WebPay form configurations are twofold.
“One, an attacker can designate his own postback URL, meaning that after a transaction occurs on the merchant's site, Worldpay's server would post the results/details of that transaction to the attacker's server, including the customer's name, billing address, phone numbers, email addresses and raw information of the transaction,” he said, referring to a flaw that he reported to Worldpay last year. He reported the problem on 27 January 2015 and it was patched within 48 hours, he says.
“The other danger is that the attacker can control the form's HTML, meaning it could be used to attack the user client-side (e.g. XSS, clickjacking, phishing),” he said. This flaw was reported in April 2015 and patched the next day.
Westergren explains that using the first vulnerability, an attacker could have collected personally identifiable information (PII) in order to use it for other phishing purposes. Using the second vulnerability, an attacker could have collected much more PII, but likely could have also gone as far as altering the payment forms in order to collect credit card details from customers (presumably either via XSS or by making specially-crafted phishing alterations).
The PCI compliance issue
On the compliance issue here, Westergren said that he is not so experienced in PCI compliance in general, but knows enough to realise it's not working.
“PCI has requirements and guidelines regarding penetration testing – it's hard to believe that such security assessments were conducted for this application without catching the low hanging fruit. I'd also have to imagine that running IIS 6.0, which has been unsupported by Microsoft for almost a year (meaning vulnerabilities are no longer being patched since there are no more updates being offered by Microsoft) somehow violates PCI Compliance,” he said.
Westergren confirmed that Worldpay fixed the problems after being notified of them earlier this year.
Richard Cassidy, cyber security evangelist at Alert Logic, also contacted SC as this story was breaking today and said that this could be a very serious exploit indeed.
“If we take the first example, whereby a specifically crafted input into the system could be created so that it returns transaction data from other merchants, including the last 4 digits of the credit-card and expiry date, this data could be very easily monetised, especially if email details of the purchaser are included; the spearphising potential is colossal and should raise an eyebrow of any user of the Worldpay service,” he said.
Cassidy explained how if you can retrieve this kind of data, you can craft e-mails that might trick users into confirming their transaction details (such as full credit card details on a typo-squatted domain) through a malicious link in the spearphising email.
“Furthermore, merchants should be deeply concerned that their consumers transactional data can be viewed by other merchants, raising substantial concern on not just data privacy issues, but competitive espionage potential too,” he said.
Alert Logic's Cassidy also makes it clear that in the second example, whereby merchants can edit the return path in WebPay forms so that transaction details could be sent to nefarious destinations, including full credit card data and not just the final 4 digits – if an attacker were to exploit this vulnerability they would have an incredible ability to steal credit card data without directly compromising the merchant site and therefore detecting this activity would be very difficult indeed for most security solutions on the market today.
He concludes, “This highlights the need for far better QA of API driven services by online payment sites when dealing with their merchants or third parties, industry data confirms that two-thirds of organisations are notified of a breach through a third party and we know that many attacks favour third-party routes, given their trusted and often less secure nature.”
[This article was updated on 13 April 2016 to clarify the dates on which flaws were reported to Worldpay and patched by the company].