Also, please be aware that other provider domain names may be vulnerable. We use a service provider named RTWare.net, for example, which uses the same code as Authorize.net and therefore is vulnerable in theory to the same problem. In practice, I have not yet seen a link on their pages which connects via http, only https. However, the login page *is* accessible via http (I just checked). I would advise anyone with an online credit-card service provider to find out personally whether or not they are vulnerable. Robert Brewer MIS Amor Ministries fumanchu@amor.org > -----Original Message----- > From: Brian Gallagher [mailto:brian@virtcert.com] > Sent: Tuesday, January 15, 2002 9:18 AM > To: bugtraq@securityfocus.com; support@authorize.net > Subject: Authorize.Net Plain Text Login Transmission > > > SYSTEMS AFFECTED > > > Authorize.net Merchant Account Administration System > > > OVERVIEW > > > Authorize.net provides a system for the authorization and > management of > online and offline credit card transactions. If the user omits the > "https://"; portion of the URL when going to "secure.authorize.net" the > user's login and password will be transmitted in plain text across the > Internet. An intruder the ability to make unauthorized charges and > credits to charge cards through the compromised merchant account, view > the transaction history of the company, and get other related data. > > > I. DESCRIPTION > > > Authorize.net provides a system for the authorization and > management of > online and offline credit card transactions. > > You log onto the administrative section of the system by going to the > address https://secure.authorize.net . The logon page is > also available > in a non-SSL version at http://secure.authorize.net . > > If you attempt to log on to the insecure page, it will appear to > function as if you had gone to the correct SSL version of the page. > When you submit your login information, it will transmit your username > and password in plain text across the Internet and then > display a "403.4 > Forbidden: SSL required" message. > > > II. IMPACT > > > The userid and password for your merchant account may be transmitted > plain text across the Internet. Any man-in-the-middle would > be able to > easily sniff your login information off the Internet and > complete access > to your account would be obtained. > > This would give the intruder the ability to make unauthorized charges > and credits to charge cards through your merchant account, > and view the > transaction history of your company. > > > III. SOLUTIONS > > > A) Users: Be absolutely certain that you are accessing the SSL version > of the secure.authorize.net login page. > > B) Authorize.Net: Change the FORM parameter in the login page > to specify > an ABSOLUTE URL. Change the current tag from: > > <FORM METHOD="POST" ACTION="/Interface/minterface.dll?FrameSet"> > > to: > > <FORM METHOD="POST" > ACTION="https://secure.authorize.net/Interface/minterface.dll? > FrameSet"> > > This would ensure that the user login information is transmitted > securely. However, the browser would not show the "SSL > encrypted" icon > (Key or Lock) to the user. > > C) Completely disable to non-SSL login page and direct users to the > correct SSL page, either by link or automatically. This > would have the > advantage of having the "SSL encrypted" icon displayed in the browser > before the form is submitted. > > Option C would be my recommended solution. > > > IV. VENDOR NOTIFICATION > > > Authorize.net was notified via their web-based support page > on November > 14, 2001. > > > V. VENDOR RESPONSE > > I received this email from their support department on November 15, > 2001. > > ============================= > ==== QUOTED MESSAGE ========= > ============================= > Subject: RE:Security Vulnerability on Authorize.net - Plaintext > Passwords Transmitted [#5383523] > > Thank you for your email. We appreciate feed back such as > this. I will > forward your suggestions on to my manager. Again, thank you. > Thank you for contacting our customer service group. > Please let us know if there is anything we can do to help you in the > future. > ============================= > ==== QUOTED MESSAGE ========= > ============================= > > To date, no other action has been taken on this matter, so I have > submitted it to Bugtraq for the protection of their clientelle. > > I have sent a copy of this message to support@authorize.net > > > V. REFERENCES > > > Secure Page: > https://secure.authorize.net > > Vulnerable Page: > http://secure.authorize.net > > > > -- > Brian Gallagher - brian@virtcert.com > Voice and Fax: 1-888-411-8144 > http://www.VirtCert.com/ > Web Services for Jewelers: No Programming Required > >
