Authorize.Net Plain Text Login Transmission

[Brian Gallagher <brian () virtcert com>]

SYSTEMS AFFECTED


Authorize.net Merchant Account Administration System


OVERVIEW


Authorize.net provides a system for the authorization and management of
online and offline credit card transactions.  If the user omits the
"https://"; portion of the URL when going to "secure.authorize.net" the
user's login and password will be transmitted in plain text across the
Internet.  An intruder the ability to make unauthorized charges and
credits to charge cards through the compromised merchant account, view
the transaction history of the company, and get other related data.


I.  DESCRIPTION


Authorize.net provides a system for the authorization and management of
online and offline credit card transactions.

You log onto the administrative section of the system by going to the
address https://secure.authorize.net .  The logon page is also available
in a non-SSL version at http://secure.authorize.net .

If you attempt to log on to the insecure page, it will appear to
function as if you had gone to the correct SSL version of the page.
When you submit your login information, it will transmit your username
and password in plain text across the Internet and then display a "403.4
Forbidden: SSL required" message.


II. IMPACT


The userid and password for your merchant account may be transmitted
plain text across the Internet.  Any man-in-the-middle would be able to
easily sniff your login information off the Internet and complete access
to your account would be obtained.

This would give the intruder the ability to make unauthorized charges
and credits to charge cards through your merchant account, and view the
transaction history of your company.


III. SOLUTIONS


A) Users: Be absolutely certain that you are accessing the SSL version
of the secure.authorize.net login page.

B) Authorize.Net: Change the FORM parameter in the login page to specify
an ABSOLUTE URL.  Change the current tag from:

 <FORM METHOD="POST" ACTION="/Interface/minterface.dll?FrameSet">

to:

 <FORM METHOD="POST"
ACTION="https://secure.authorize.net/Interface/minterface.dll?FrameSet";>

This would ensure that the user login information is transmitted
securely.  However, the browser would not show the "SSL encrypted" icon
(Key or Lock) to the user.

C) Completely disable to non-SSL login page and direct users to the
correct SSL page, either by link or automatically.  This would have the
advantage of having the "SSL encrypted" icon displayed in the browser
before the form is submitted.

Option C would be my recommended solution.


IV.  VENDOR NOTIFICATION


Authorize.net was notified via their web-based support page on November
14, 2001.


V. VENDOR RESPONSE

I received this email from their support department on November 15,
2001.

=============================
==== QUOTED MESSAGE =========
=============================
Subject: RE:Security Vulnerability on Authorize.net - Plaintext
Passwords Transmitted [#5383523]

Thank you for your email.  We appreciate feed back such as this.  I will
forward your suggestions on to my manager.  Again, thank you.
Thank you for contacting our customer service group.
Please let us know if there is anything we can do to help you in the
future.
=============================
==== QUOTED MESSAGE =========
=============================

To date, no other action has been taken on this matter, so I have
submitted it to Bugtraq for the protection of their clientelle.

I have sent a copy of this message to support () authorize net


V. REFERENCES


Secure Page:
 https://secure.authorize.net

Vulnerable Page:
 http://secure.authorize.net



--
Brian Gallagher  -  brian () virtcert com
Voice and Fax: 1-888-411-8144
http://www.VirtCert.com/
Web Services for Jewelers: No Programming Required