1) Affected Service * LiqPAY micro-payment system from PrivatBank, Ukraine 2) Severity Rating: Moderate (need user actions) Impact: Exposure of sensitive financial information and unauthorized access to system Where: Remote (man-in-the-middle) 3) Vendor's Description of Service "LiqPAY is global open high-secure payment system that lets anyone easily send money using mobile phones, Internet and payment cards worldwide. ... LiqPAY Benefits: Strong security. Strong identification and verification using the OTP technology." Product Link: https://www.liqpay.com/?do=pages&p=productliqpay 4) Description of Vulnerability LiqPAY one-time-password technology is based on SMS messages sent to mobile phone of registered user. In order to login user has to submit his mobile phone number on web-form and will be prompted for 8-digits password from SMS message sent by system to his mobile. Vulnerability is that SMS messages are not tagged in any way that they are from LiqPAY system. SMS message text is like "Parol: 12345678 --Do not pass your password to third party.". Exploitation is following - attacker can setup web-site (or any other service) that will ask user for their mobile phone numbers first, then for password they has received. In fact, attacker is not sending SMS on his own, but request LiqPAY system to send one to user. After user will type in password he has received in SMS message on attacker website - attacker can use this password to login into LiqPAY system. After login to LiqPAY - all services of system are available to attacker - history of previous payments and sending of digital money. 5) Solution SMS messages from LiqPAY system should be tagged properly in order to allow users clearly identify service and website URL of SMS origin. Temporary solution for current users - do not answer on all SMS messages similar in format to LiqPAY one's (there 8-digit password is used). 6) Time Table 18:16 EET 22 March 2010 - Issue reported in public to vendor (Alexander Vityaz blog, Head of Center E-business at Privatbank) 18:22 - Vendor denial as non-issue 7) Credits Discovered by client of PrivatBank. 8) About LiqPay and PrivatBank The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its services are used by more than 23% population of Ukraine population. PrivatBank currently serves 420 thousand corporate clients and small businesses, and over 13 million individual accounts. LiqPAY is system invented by PrivatBank company for micropayments. It is actively pushed to clients of PrivatBank. All ~3000 branches of bank issue micropayments vouchers or open accounts of LiqPAY system instead of giving change in coins to most of it's clients then bank services or wire payments are requested. Number of LiqPAY users as result of this effort claimed to be over 120 thousands.
