Authentication tokens gone wrong
Here is another blog about Plimus. It seems like they don't want to communicate or fix security
issues instead they continue building new features. It's a shame that a company that handles
money as a primary buisiness doesn't have security as a top priority. This blogpost is about a
feature that I have warned Plimus about, but haven't been able to test because a Plimus employee
actively refused to give me access to this feature, even after the engineer in charge for
security asked me explicitly to test and report more security problems. So keep this in
mind when you read this blog: I have not tried to exploit this.
The feature I want to talk about is a feature that webshops can use to
streamline the payment experience for customers. When a user uses Plimus to pay in a webshop, the
user is redirected to Plimus and has to login and fill in some payment information. To make it
easier for customers the webshop can now offer an authentication token when the customer is
redirected. The user is now logged in automatically.
This process works as following:
- A webshop has the Plimus accountid for customers it has seen
before because a payment IPN contains the accountid. This
accountid is an integer that's probably sequential.
- The webshop takes the accountid and requests an
authentication token with Plimus that's valid for a given amount
of time. This request is done by a HTTP GET request to the
- The webshop receives an authentication token as a result of the above request.
- When the webshop redirects the user, the webshop uses the authentication token in the
redirect url like this:
- The user is now logged in to Plimus and can finish the payment process without logging into
Why is this dangerous?
- The webshop is given full access to the Plimus account of all paying customers.
- The user is not notified of this fact.
- Because an accountId is a sequential integer I strongly suspect that it's possible to
enumerate them all and get authentication tokens for all Plimus users.
Just fix your stuff Plimus. And don't invent your own cryptographic protocols. You don't even
know what "hexadecimal" means.