It appears that Authorize.net has finally taken notice of this advisory and has disabled the non-SSL login page on their web site. They have also posted the following "Important Announcement" on their web page at https://secure.authorize.net/: ============================= ==== QUOTED MESSAGE ========= ============================= Important Announcement February 13, 2002 Dear Authorize.Net Merchant, The ability to run credits through the Authorize.Net system is temporarily suspended. We are adding additional features and business rules to the credit process to reduce the potential of an unauthorized credit from being processed through your Authorize.Net account. This action is being taken as part of our ongoing efforts to assist merchants in protecting themselves against fraud. We expect to enable this newly enhanced credit feature within the next 48 hours. Until the new credit feature is enabled, any attempts to run a credit transaction will fail and will result in a “duplicate transaction” error message. This error message should only be interpreted as a rejected credit transaction, and not as an actual duplicate transaction. Once again, we strongly encourage you to change your password using alphanumeric characters and to review our Security “Best Practices” White Paper for information on how you can better detect, prevent and manage fraud. This document is available at http://www.authorizenet.com/files/securitybestpractices.pdf. We understand this may be an inconvenience, but we are committed to providing our merchants with tools to safely and confidently conduct business using the Authorize.Net system. Sincerely, Authorize.Net ============================= ==== END QUOTED MESSAGE ===== ============================= My thanks to Authorize.net for responding to this serious security issue responsibly (though rather slowly). Sincerely, - Brian Gallagher Original Advisory: Subject: Authorize.Net Plain Text Login Transmission Date: Tue, 15 Jan 2002 12:18:29 -0500 From: Brian Gallagher <brian@virtcert.com> Organization: VirtCert.com To: bugtraq@securityfocus.com, support@authorize.net SYSTEMS AFFECTED Authorize.net Merchant Account Administration System OVERVIEW Authorize.net provides a system for the authorization and management of online and offline credit card transactions. If the user omits the "https://"; portion of the URL when going to "secure.authorize.net" the user's login and password will be transmitted in plain text across the Internet. An intruder the ability to make unauthorized charges and credits to charge cards through the compromised merchant account, view the transaction history of the company, and get other related data. I. DESCRIPTION Authorize.net provides a system for the authorization and management of online and offline credit card transactions. You log onto the administrative section of the system by going to the address https://secure.authorize.net . The logon page is also available in a non-SSL version at http://secure.authorize.net . If you attempt to log on to the insecure page, it will appear to function as if you had gone to the correct SSL version of the page. When you submit your login information, it will transmit your username and password in plain text across the Internet and then display a "403.4 Forbidden: SSL required" message. II. IMPACT The userid and password for your merchant account may be transmitted plain text across the Internet. Any man-in-the-middle would be able to easily sniff your login information off the Internet and complete access to your account would be obtained. This would give the intruder the ability to make unauthorized charges and credits to charge cards through your merchant account, and view the transaction history of your company. III. SOLUTIONS A) Users: Be absolutely certain that you are accessing the SSL version of the secure.authorize.net login page. B) Authorize.Net: Change the FORM parameter in the login page to specify an ABSOLUTE URL. Change the current tag from: <FORM METHOD="POST" ACTION="/Interface/minterface.dll?FrameSet"> to: <FORM METHOD="POST" ACTION="https://secure.authorize.net/Interface/minterface.dll?FrameSet";> This would ensure that the user login information is transmitted securely. However, the browser would not show the "SSL encrypted" icon (Key or Lock) to the user. C) Completely disable to non-SSL login page and direct users to the correct SSL page, either by link or automatically. This would have the advantage of having the "SSL encrypted" icon displayed in the browser before the form is submitted. Option C would be my recommended solution. IV. VENDOR NOTIFICATION Authorize.net was notified via their web-based support page on November 14, 2001. V. VENDOR RESPONSE I received this email from their support department on November 15, 2001. ============================= ==== QUOTED MESSAGE ========= ============================= Subject: RE:Security Vulnerability on Authorize.net - Plaintext Passwords Transmitted [#5383523] Thank you for your email. We appreciate feed back such as this. I will forward your suggestions on to my manager. Again, thank you. Thank you for contacting our customer service group. Please let us know if there is anything we can do to help you in the future. ============================= ==== QUOTED MESSAGE ========= ============================= To date, no other action has been taken on this matter, so I have submitted it to Bugtraq for the protection of their clientelle. I have sent a copy of this message to support@authorize.net V. REFERENCES Secure Page: https://secure.authorize.net Vulnerable Page: http://secure.authorize.net -- Brian Gallagher - brian@virtcert.com Voice and Fax: 1-888-411-8144 http://www.VirtCert.com/ Web Services for Jewelers: No Programming Required -- Brian Gallagher - brian@virtcert.com Voice and Fax: 1-888-411-8144 http://www.VirtCert.com/ Web Services for Jewelers: No Programming Required
