Authentication tokens gone wrong

Floor Terra - 2012-03-09 00:00:00
Here is another blog about Plimus. It seems like they don't want to communicate or fix security issues instead they continue building new features. It's a shame that a company that handles money as a primary buisiness doesn't have security as a top priority. This blogpost is about a feature that I have warned Plimus about, but haven't been able to test because a Plimus employee actively refused to give me access to this feature, even after the engineer in charge for security asked me explicitly to test and report more security problems. So keep this in mind when you read this blog: I have not tried to exploit this.
The feature I want to talk about is a feature that webshops can use to streamline the payment experience for customers. When a user uses Plimus to pay in a webshop, the user is redirected to Plimus and has to login and fill in some payment information. To make it easier for customers the webshop can now offer an authentication token when the customer is redirected. The user is now logged in automatically.
This process works as following[1]:
  1. A webshop has the Plimus accountid for customers it has seen before because a payment IPN contains the accountid. This accountid is an integer that's probably sequential.
  2. The webshop takes the accountid and requests an authentication token with Plimus that's valid for a given amount of time. This request is done by a HTTP GET request to the following url https://ws.plimus.com/services/2/tools/auth-token?shopperId=[accountId]&expirationInMinutes=[desired time]
  3. The webshop receives an authentication token as a result of the above request.
  4. When the webshop redirects the user, the webshop uses the authentication token in the redirect url like this: http://www.plimus.com/jsp/entrance.jsp?contractId=[contractId]&target=[desired process step]&token=[authentication token]
  5. The user is now logged in to Plimus and can finish the payment process without logging into Plimus
Why is this dangerous?
  • The webshop is given full access to the Plimus account of all paying customers.
  • The user is not notified of this fact.
  • Because an accountId is a sequential integer I strongly suspect that it's possible to enumerate them all and get authentication tokens for all Plimus users.
Just fix your stuff Plimus. And don't invent your own cryptographic protocols. You don't even know what "hexadecimal" means.
[1]http://home.plimus.com/ecommerce/developers/featured-solution