[ic] [Brian Gallagher <brian@virtcert.com>] Re: Authorize.Net Plain Text Login Transmission

Stefan Hornburg Racke interchange-users@interchange.redhat.com
Thu Feb 14 17:08:01 2002


--=-=-=


Dunno if this applies to the IC gateway, so you have to figure out that
by yourself :-;


--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

X-From-Line: brian@virtcert.com Thu Feb 14 10:05:34 2002
Return-path: <brian@virtcert.com>
Envelope-to: racke@localhost
Delivery-date: Thu, 14 Feb 2002 10:05:34 +0100
Received: from snowflake.linuxia.de ([127.0.0.1] helo=localhost)
	by snowflake.linuxia.de with esmtp (Exim 3.33 #1 (Debian))
	id 16bHpd-0000P4-00	for <racke@localhost>; Thu, 14 Feb 2002 10:05:33 +0100
Received: from mail.cobolt.net [213.160.43.81]
	by localhost with POP3 (fetchmail-5.9.6)
	for racke@localhost (single-drop); Thu, 14 Feb 2002 10:05:33 +0100 (CET)
Received: from outgoing3.securityfocus.com ([66.38.151.27] helo=outgoing.securityfocus.com)
	by mustang.cobolt.net with esmtp (Exim 3.12 #1 (Debian))
	id 16bF5Z-0005Xk-00
	for <racke@linuxia.de>; Thu, 14 Feb 2002 07:09:49 +0100
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id A98E4A3374; Wed, 13 Feb 2002 22:28:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4105 invoked from network); 13 Feb 2002 13:52:37 -0000
Message-ID: <3C6A702F.D3A7FBC2@virtcert.com>
Date: Wed, 13 Feb 2002 08:54:55 -0500
From: Brian Gallagher <brian@virtcert.com>
Organization: VirtCert.com
X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U)
X-Accept-Language: en,pdf
To: bugtraq@securityfocus.com
Cc: support@authorize.net
Subject: Re: Authorize.Net Plain Text Login Transmission
Lines: 211
Xref: snowflake.linuxia.de mail.misc:170652
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

It appears that Authorize.net has finally taken notice of this advisory
and has disabled the non-SSL login page on their web site.  They have
also posted the following "Important Announcement" on their web page at
https://secure.authorize.net/:

=============================
==== QUOTED MESSAGE =========
=============================
Important Announcement
February 13, 2002

Dear Authorize.Net Merchant,

The ability to run credits through the Authorize.Net system is
temporarily suspended. We are adding additional features and business
rules to the credit process to reduce the potential of an unauthorized
credit from being processed through your Authorize.Net account. This
action is being taken as part of our ongoing efforts to assist merchants
in protecting themselves against fraud. We expect to enable this newly
enhanced credit feature within the next 48 hours.

Until the new credit feature is enabled, any attempts to run a credit
transaction will fail and will result in a “duplicate transaction” error
message. This error message should only be interpreted as a rejected
credit transaction, and not as an actual duplicate transaction.

Once again, we strongly encourage you to change your password using
alphanumeric characters and to review our Security “Best Practices”
White Paper for information on how you can better detect, prevent and
manage fraud. This document is available at
http://www.authorizenet.com/files/securitybestpractices.pdf.

We understand this may be an inconvenience, but we are committed to
providing our merchants with tools to safely and confidently conduct
business using the Authorize.Net system.

Sincerely,

Authorize.Net
=============================
==== END QUOTED MESSAGE =====
=============================

My thanks to Authorize.net for responding to this serious security issue
responsibly (though rather slowly).

Sincerely,

    - Brian Gallagher


Original Advisory:

Subject:
             Authorize.Net Plain Text Login Transmission
        Date:
             Tue, 15 Jan 2002 12:18:29 -0500
       From:
             Brian Gallagher <brian@virtcert.com>
 Organization:
             VirtCert.com
         To:
             bugtraq@securityfocus.com, support@authorize.net




SYSTEMS AFFECTED


Authorize.net Merchant Account Administration System


OVERVIEW


Authorize.net provides a system for the authorization and management of
online and offline credit card transactions.  If the user omits the
"https://" portion of the URL when going to "secure.authorize.net" the
user's login and password will be transmitted in plain text across the
Internet.  An intruder the ability to make unauthorized charges and
credits to charge cards through the compromised merchant account, view
the transaction history of the company, and get other related data.


I.  DESCRIPTION


Authorize.net provides a system for the authorization and management of
online and offline credit card transactions.

You log onto the administrative section of the system by going to the
address https://secure.authorize.net .  The logon page is also available

in a non-SSL version at http://secure.authorize.net .

If you attempt to log on to the insecure page, it will appear to
function as if you had gone to the correct SSL version of the page.
When you submit your login information, it will transmit your username
and password in plain text across the Internet and then display a "403.4

Forbidden: SSL required" message.


II. IMPACT


The userid and password for your merchant account may be transmitted
plain text across the Internet.  Any man-in-the-middle would be able to
easily sniff your login information off the Internet and complete access

to your account would be obtained.

This would give the intruder the ability to make unauthorized charges
and credits to charge cards through your merchant account, and view the
transaction history of your company.


III. SOLUTIONS


A) Users: Be absolutely certain that you are accessing the SSL version
of the secure.authorize.net login page.

B) Authorize.Net: Change the FORM parameter in the login page to specify

an ABSOLUTE URL.  Change the current tag from:

 <FORM METHOD="POST" ACTION="/Interface/minterface.dll?FrameSet">

to:

 <FORM METHOD="POST"
ACTION="https://secure.authorize.net/Interface/minterface.dll?FrameSet">

This would ensure that the user login information is transmitted
securely.  However, the browser would not show the "SSL encrypted" icon
(Key or Lock) to the user.

C) Completely disable to non-SSL login page and direct users to the
correct SSL page, either by link or automatically.  This would have the
advantage of having the "SSL encrypted" icon displayed in the browser
before the form is submitted.

Option C would be my recommended solution.


IV.  VENDOR NOTIFICATION


Authorize.net was notified via their web-based support page on November
14, 2001.


V. VENDOR RESPONSE

I received this email from their support department on November 15,
2001.

=============================
==== QUOTED MESSAGE =========
=============================
Subject: RE:Security Vulnerability on Authorize.net - Plaintext
Passwords Transmitted [#5383523]

Thank you for your email.  We appreciate feed back such as this.  I will

forward your suggestions on to my manager.  Again, thank you.
Thank you for contacting our customer service group.
Please let us know if there is anything we can do to help you in the
future.
=============================
==== QUOTED MESSAGE =========
=============================

To date, no other action has been taken on this matter, so I have
submitted it to Bugtraq for the protection of their clientelle.

I have sent a copy of this message to support@authorize.net


V. REFERENCES


Secure Page:
 https://secure.authorize.net

Vulnerable Page:
 http://secure.authorize.net



--
Brian Gallagher  -  brian@virtcert.com
Voice and Fax: 1-888-411-8144
http://www.VirtCert.com/
Web Services for Jewelers: No Programming Required





--
Brian Gallagher  -  brian@virtcert.com
Voice and Fax: 1-888-411-8144
http://www.VirtCert.com/
Web Services for Jewelers: No Programming Required





--=-=-=



-- 
Think of it !

For projects and other business stuff please refer to COBOLT NetServices
(URL: http://www.cobolt.net; Email: info@cobolt.net; Phone: 0041-1-3884400)

--=-=-=--