[Editorial notes : An insightful piece by Shivani Maheshwari – she played with a few services and found out how vulnerable they are.]
Recent Ola’s wallet security lapse, left me in shock. It leaves a bleak picture about the state of security of country’s leading cab service provider. Some of the players have landed big financing rounds with determined founders and are in business for sufficiently long time now. To realize the state of security of some startups services I use, I did some tests by just using Wireshark and Postman. One website I would make mention of is zopnow.com.
Before I start putting down my thoughts, by no way I mean to condemn any organization or anyone associated with it.
Remembered that I made an order for a chocolate on 18–03–15 morning to be delivered on 19th and I haven’t paid yet. Tadaaa, let’s pay for order and capture packets! Filtered “http” packets on wireshark. Ok, all cool, lets see the flow. zopnow.com redirects to payments.zopnow.com which shows me the screen to choose between mode of payments like Credit/Debit/Netbanking/Payu. I chose PayU gateway for payments. After successful payment, there was a http packet to /payudone.php then to /paymentResponse.php and this was the hero. Let’s monitor the packet.
Image-1
Cookies and POST data was all I needed to try luck.

Cookie: zopper=*; amplifyUid=*-; _ampNV=*; _ampUVC=*; _ampVT=*; PHPSESSID=*; AWSELB=*; remember=*; lastterm=*; _gat=*; carttime=*; _ga=*; z=*;
Data: transaction_status=SUCCESS&transaction_amount=90.00&transaction_id=*&zoppay_reference=*&udf1=*

Transaction_id, zoppay_reference and udfi were 3 unknowns. Breathe, take a step back. Capture the packet from zopnow.com to payments.zopnow.com. Voila, post data looks like:

direction=outgoing&reference_number=*&txtTranID=*&txtMarketCode=*&txtTxnAmount=90&transaction_id=*&transaction_hmac=*&transaction_amount=90&access_key=*&udf1=*

Rubbed my hands, leaning closer to laptop pulled out Postman, let’s draft a request. zoppay_reference was the thing that was not known, so I decided to increment that number by 1 and use it in my new request. I placed a fresh order on zopnow worth Rs. 10/- (didn’t want to exploit in any case), fetched all cookies and data and framed a HTTP call.
Image-2
On hitting send , I got an email titled “[ZopNow] Payment Success for order XYZ”. Bingo! Arrow hits the bulls’ eye. Drawback: There was no verification of status from payment gateway, hence no server side validation of request to paymentResponse page.

Zopnow: The bigger picturesque

I wrote an email to cs@zopnow.com.

In all honest opinion, I was playing around with Zopnow.com tonight, and I found a bug via which I was able to place an order(worth Rs. 10/-, which you are free to charge me for), and pay for it online, without actually paying via any card/netbanking.

To my surprise they were very prompt(within 4 hours) in forwarding the concern.

We appreciate you bringing this our notice, this issue is forwarded to technical support team and one of the Zoppers will get in touch with you, to discuss about this issue.

After another 4 hours I got an email from member of technical team.

We acknowledge the bug you mentioned. In one of the recent releases, we regressed and started storing the payment information without verifying the status from the payment gateway. So, you could potentially add a payment just by making a direct post request to /paymentResponse.php. Can you please confirm that the bug was indeed what we thought it was? We have deployed a fix. Can you still replicate it?As a token of appreciation from our team, please accept the 10,000 Zoppies we have credited to your account.

I was humbled by kind, swift and sensible response I received from Zopnow. The issue got fixed within 8 hours, but on first part should we leave that vulnerability?
Least we can do to prevent such mishaps is to follow OWASP guidelines, have good backend analytics, apply defensive control mechanisms and have encrypted connections. Sometimes while scaling from MVP to a full-fleged product we tend to neglect the basics of security. In the longer runs, business suffers on account of these loopholes.
Competition isn’t worth if it isn’t secure!!
[Reproduced from Shivani Maheshwari‘s blog]

Add comment

Subscribe to Newsletter