Vulnerability on Saved Card

[Djohel]

Hey !

A flaw in access control has been identified in the management of pre-registered cards by users of the Saferpay module. By exploiting this flaw, a user can register on the web application, enter their payment card (e.g., VISA), and then use another user's card from the application to pay for their own cart.

First, it is necessary to register your payment card for future purchases. Then, you simply need to select it via the associated menu.

When the payment request is issued, the "selectedCreditCard_VISA" parameter references the identifier of this card. By modifying it during the interception of the HTTP request, another user's card will be used.
Note: The identifier used to reference the card is incremental and can be trivially determined by an attacker. It is recommended to use identifiers such as UUIDv4, which are random and not predictable by other users.

Note : I use BURP app to do this.
The Saferpay module then redirects the user to the 3D Secure mechanism associated with the fraudulently selected card.

Implement an access control mechanism on pre-registered card identifiers based on the current user's session token would prevent it.
We did a fix but you may foud a better way to solve this issue :

If you need more information, feel free to ask!

Thank you!

[justelis22]

Hi there,
Thank you for the detailed description!

We will check this issue and I will get back to you as soon as more details.

Thank you for your patience!

--
Best Regards,
Invertus Support team.

[justelis22]

Thank you for the feedback @Djohel,

We have already implemented this fix, and it will be added to the upcoming release. The fixes for this release were focused on the card-saving functionality, so it was very good timing.

If you have any questions, please let me know!

Best Regards,
Invertus Support team.