SYSTEMS AFFECTED Authorize.net Merchant Account Administration System OVERVIEW Authorize.net provides a system for the authorization and management of online and offline credit card transactions. If the user omits the "https://"; portion of the URL when going to "secure.authorize.net" the user's login and password will be transmitted in plain text across the Internet. An intruder the ability to make unauthorized charges and credits to charge cards through the compromised merchant account, view the transaction history of the company, and get other related data. I. DESCRIPTION Authorize.net provides a system for the authorization and management of online and offline credit card transactions. You log onto the administrative section of the system by going to the address https://secure.authorize.net . The logon page is also available in a non-SSL version at http://secure.authorize.net . If you attempt to log on to the insecure page, it will appear to function as if you had gone to the correct SSL version of the page. When you submit your login information, it will transmit your username and password in plain text across the Internet and then display a "403.4 Forbidden: SSL required" message. II. IMPACT The userid and password for your merchant account may be transmitted plain text across the Internet. Any man-in-the-middle would be able to easily sniff your login information off the Internet and complete access to your account would be obtained. This would give the intruder the ability to make unauthorized charges and credits to charge cards through your merchant account, and view the transaction history of your company. III. SOLUTIONS A) Users: Be absolutely certain that you are accessing the SSL version of the secure.authorize.net login page. B) Authorize.Net: Change the FORM parameter in the login page to specify an ABSOLUTE URL. Change the current tag from: <FORM METHOD="POST" ACTION="/Interface/minterface.dll?FrameSet"> to: <FORM METHOD="POST" ACTION="https://secure.authorize.net/Interface/minterface.dll?FrameSet";> This would ensure that the user login information is transmitted securely. However, the browser would not show the "SSL encrypted" icon (Key or Lock) to the user. C) Completely disable to non-SSL login page and direct users to the correct SSL page, either by link or automatically. This would have the advantage of having the "SSL encrypted" icon displayed in the browser before the form is submitted. Option C would be my recommended solution. IV. VENDOR NOTIFICATION Authorize.net was notified via their web-based support page on November 14, 2001. V. VENDOR RESPONSE I received this email from their support department on November 15, 2001. ============================= ==== QUOTED MESSAGE ========= ============================= Subject: RE:Security Vulnerability on Authorize.net - Plaintext Passwords Transmitted [#5383523] Thank you for your email. We appreciate feed back such as this. I will forward your suggestions on to my manager. Again, thank you. Thank you for contacting our customer service group. Please let us know if there is anything we can do to help you in the future. ============================= ==== QUOTED MESSAGE ========= ============================= To date, no other action has been taken on this matter, so I have submitted it to Bugtraq for the protection of their clientelle. I have sent a copy of this message to support@authorize.net V. REFERENCES Secure Page: https://secure.authorize.net Vulnerable Page: http://secure.authorize.net -- Brian Gallagher - brian@virtcert.com Voice and Fax: 1-888-411-8144 http://www.VirtCert.com/ Web Services for Jewelers: No Programming Required
