Life is the best teacher and lessons come out of the blue, like a speeding truck exiting a corner in your lane. Such a lesson has just been learned the hard way by CashBill, which laughed at Przelewy24 in mid-November 2017.
In November 2017, we recounted the trouble with the security vulnerabilities of the shop plug-ins offered by the Przelewy24 platform. The errors contained in some of them made it possible to access the data stored in the databases of the firm’s clients and to freely modify the statuses of the orders placed in the shops using the plug-ins. As it turned out, the competitors’ plug-ins were not free of errors either.
Not a wise reaction of CashBill
One of Przelewy24’s competitors, CashBill, decided to make a mockery of the unfortunate lapse of the competitor, by publishing this picture.
[picture: SLEEP WELL, OUR PLUG-INS ARE INFALLIBLE,
comment 1: In the event of a mishap, a programmer is on duty
comment 2: Is the duty programmer still there? Can I get the contact details?]
It is a strong allusion to the night action by Przelewy24, which worked hard to correct the errors and inform their clients about the problem as soon as possible. However, less than a day after CashBill posted the picture, one of our readers, Mateusz, found trivial errors in CashBill’s plug-in for the Magento platform, enabling any user to change the status of transactions – their own and somebody else’s too. It was possible to mark all the transactions as paid or cancel all of them. So it was an error of the same category as those found earlier in the Przelewy24 platform.
Mateusz reported the problem to the “programmer on duty”, who contacted him several hours later. The next day, the firm informed Mateusz that his report was being processed and they would contact him again after a thorough analysis was completed. Yet they never did. A few days later a new plug-in appeared on their website and the files contained time stamps indicating that they had been modified the previous Monday around noon. We found no mention of the error on their website.
Brief review of the error
The problems were found in the file
You will find a comparison of the old and new version of the code of the plug-in on Diffchecker. Mateusz explained that the main problem had been the implementation of the logic of the change of the status order in the public controller in actions which were public but did not check the transaction signature. They included a function setting the order status – thus by typing the appropriate call in the browser you could change the status from “pending” to “paid”. The function did not check the signature either (as it had been checked at an earlier stage, bypassed by the direct call). What is more, the transaction “id” parameter was retrieved from the GET request, so you could change the status of any transaction, not only yours.
We have received a statement from CashBill, which we publish in full below:
Please be advised that the Facebook post referred to in your service was just a tongue-in-cheek reference to that situation on our part. We are not in the habit of vilifying our competitors and we can admit our errors. Our Magento plug-in was not developed by our in-house programmers but nevertheless we take full responsibility for it – yes, there was a problem and it has been fixed. We informed our partners using the plug-in about a new, secure 🙂 version, which can now be downloaded from our site.
Let us assure you that no data leaked and no transaction was incorrectly authorised/cancelled as a result of the error. To show our gratitude for the help in solving the problem, we offer books about application security. We would like to give them to those who were the most involved in the problem solving process. And we will keep one of the books for ourselves!
In the wake of the latest massive blunder of OVH, we were contacted by other firms which thought it was a good idea to leverage on the competitors’ failures. Some in private correspondence, while others in public:
[picture: Hosting or server, everything works at #springdatacenter. Check out our services:]
Even businesses from other industries jumped on the bandwagon with the tag #OVHfailure:
Lesson to be learned from this experience
We recommend all the writers of code handling financial transactions, which has not been subjected to a very thorough security audit by a renowned company (preferably two), to arrange for one as soon as possible. Why one audit is not enough? Recently we have seen the results of an experiment in which two experts reviewed the same source code independently of one another. Each one found different errors. So if your code touches money, do not scrimp on the audit and you will save yourself blushes and trouble for your clients.
Security is one of many industries in which you can quickly learn from your competitors’ mistakes. So instead of laughing at them, it would be wise to check your own repository because similar types of errors or attacks very often easily transmit between companies, industries or countries. That is why it is important for every self-respecting company to observe the market and follow up on major incidents and then review them and check if they could appear in their own infrastructure.
If you do not have the manpower and time to follow the most important news from the market, we can help – for more than a year, we have been supplying several companies with regular (weekly and monthly) reports recounting the major recent developments in the security industry – in general terms or by sector. This way you could verify your knowledge of attacks and develop security awareness among your administrator teams. You can learn a lot by reading about the history of other people’s mishaps. If you are interested in receiving such reports on a regular basis, just write to us.