Vulnerability Development mailing list archives
Re: Vuln in Verisign PayFlow Link payment service
From: "Keith Royster" <keith () homebrew com>
Date: Thu, 3 Jan 2002 22:08:25 -0500
Perhaps a fix for VeriSign would be to passback a secret code
(configurable
through the PayFlow Link admin panel) that does not originate from a cart input value, but is stored and sent from PayFlow. Then a simple 'if' statement in the cart software could weed out the bad along with an e-mail sent to the admin.
I suggested this very idea to Verisign when I initially contacted them. My suggestion was to use the account password as the 'secret code' (perhaps encrypted?), but any shared secret would do as long as it is only passed directly from verisign back to the shopping cart app.
Current thread:
- Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service jon schatz (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Doru Petrescu (Jan 04)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 05)
- Re: Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 05)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 05)
- Re: Vuln in Verisign PayFlow Link payment service Megan McRee (Jan 03)
- Re: Vuln in Verisign PayFlow Link payment service Keith Royster (Jan 04)
- <Possible follow-ups>
- RE: Vuln in Verisign PayFlow Link payment service Erwin Geirnaert (Jan 04)
- RE: Vuln in Verisign PayFlow Link payment service keith royster (Jan 04)