RE: Authorize.Net Plain Text Login Transmission

[Robert Brewer <fumanchu () amor org>]

Also, please be aware that other provider domain names may be vulnerable. We
use a service provider named RTWare.net, for example, which uses the same
code as Authorize.net and therefore is vulnerable in theory to the same
problem. In practice, I have not yet seen a link on their pages which
connects via http, only https. However, the login page *is* accessible via
http (I just checked). I would advise anyone with an online credit-card
service provider to find out personally whether or not they are vulnerable.

Robert Brewer
MIS
Amor Ministries
fumanchu () amor org

> -----Original Message-----
> From: Brian Gallagher [mailto:brian () virtcert com]
> Sent: Tuesday, January 15, 2002 9:18 AM
> To: bugtraq () securityfocus com; support () authorize net
> Subject: Authorize.Net Plain Text Login Transmission
>
>
> SYSTEMS AFFECTED
>
>
> Authorize.net Merchant Account Administration System
>
>
> OVERVIEW
>
>
> Authorize.net provides a system for the authorization and 
> management of
> online and offline credit card transactions.  If the user omits the
> "https://"; portion of the URL when going to "secure.authorize.net" the
> user's login and password will be transmitted in plain text across the
> Internet.  An intruder the ability to make unauthorized charges and
> credits to charge cards through the compromised merchant account, view
> the transaction history of the company, and get other related data.
>
>
> I.  DESCRIPTION
>
>
> Authorize.net provides a system for the authorization and 
> management of
> online and offline credit card transactions.
>
> You log onto the administrative section of the system by going to the
> address https://secure.authorize.net .  The logon page is 
> also available
> in a non-SSL version at http://secure.authorize.net .
>
> If you attempt to log on to the insecure page, it will appear to
> function as if you had gone to the correct SSL version of the page.
> When you submit your login information, it will transmit your username
> and password in plain text across the Internet and then 
> display a "403.4
> Forbidden: SSL required" message.
>
>
> II. IMPACT
>
>
> The userid and password for your merchant account may be transmitted
> plain text across the Internet.  Any man-in-the-middle would 
> be able to
> easily sniff your login information off the Internet and 
> complete access
> to your account would be obtained.
>
> This would give the intruder the ability to make unauthorized charges
> and credits to charge cards through your merchant account, 
> and view the
> transaction history of your company.
>
>
> III. SOLUTIONS
>
>
> A) Users: Be absolutely certain that you are accessing the SSL version
> of the secure.authorize.net login page.
>
> B) Authorize.Net: Change the FORM parameter in the login page 
> to specify
> an ABSOLUTE URL.  Change the current tag from:
>
>  <FORM METHOD="POST" ACTION="/Interface/minterface.dll?FrameSet">
>
> to:
>
>  <FORM METHOD="POST"
> ACTION="https://secure.authorize.net/Interface/minterface.dll?
> FrameSet">
>
> This would ensure that the user login information is transmitted
> securely.  However, the browser would not show the "SSL 
> encrypted" icon
> (Key or Lock) to the user.
>
> C) Completely disable to non-SSL login page and direct users to the
> correct SSL page, either by link or automatically.  This 
> would have the
> advantage of having the "SSL encrypted" icon displayed in the browser
> before the form is submitted.
>
> Option C would be my recommended solution.
>
>
> IV.  VENDOR NOTIFICATION
>
>
> Authorize.net was notified via their web-based support page 
> on November
> 14, 2001.
>
>
> V. VENDOR RESPONSE
>
> I received this email from their support department on November 15,
> 2001.
>
> =============================
> ==== QUOTED MESSAGE =========
> =============================
> Subject: RE:Security Vulnerability on Authorize.net - Plaintext
> Passwords Transmitted [#5383523]
>
> Thank you for your email.  We appreciate feed back such as 
> this.  I will
> forward your suggestions on to my manager.  Again, thank you.
> Thank you for contacting our customer service group.
> Please let us know if there is anything we can do to help you in the
> future.
> =============================
> ==== QUOTED MESSAGE =========
> =============================
>
> To date, no other action has been taken on this matter, so I have
> submitted it to Bugtraq for the protection of their clientelle.
>
> I have sent a copy of this message to support () authorize net
>
>
> V. REFERENCES
>
>
> Secure Page:
>  https://secure.authorize.net
>
> Vulnerable Page:
>  http://secure.authorize.net
>
>
>
> --
> Brian Gallagher  -  brian () virtcert com
> Voice and Fax: 1-888-411-8144
> http://www.VirtCert.com/
> Web Services for Jewelers: No Programming Required