Plimus security flaws

Floor Terra - 2011-05-11 21:25:00
After a few weeks of frustrating email exchange with the Plimus security people I have decided to write this blogpost to warn existing and potential customers of Plimus. The apparent lack of technical knowledge on the side of Plimus and my previous experience in their response to bug reports has given me no hope that these issues will be addressed soon.

I will not give out any details yet, but will try to give some tips to reduce the risk of exposure if you're a Plimus customer.

When using the IPN (Instant Payment Notification) feature of Plimus, use SSL. Plimus doesn't enforce the use of SSL, but without it Plimus will send your customer data unencrypted over the internet. So make sure that IPN url starts with an https:// instead of the regular http:// and make sure all your certificates are in order. (It's better to use SSL for your entire store too.)

Use the IP whitelisting feature carefully. Plimus recommends you to maintain a list of IP addresses from where you could receive an IPN from Plimus. However, there are 2 different lists on the Plimus website. One is within a piece of sample code, this whitelist is almost 2 years old and contains IP addresses Plimus doesn't own and doesn't contain several IP's from which Plimus is sending legitimate IPN's. The other list is more up to date. You have to watch this list manually as there is no process for notifying customers when this list changes. Disabling the whitelist and relying on the other security features in the IPN is something I strongly recommend against doing.

Plimus also has a feature called Parameter protection that can be used to sign parts of the IPN to protect against modification of the parameters by a "man in the middle". I recommend customers to enable this on all the parameters and choose a really long and secure authKey. You could use the following to generate your authKey:
$ openssl rand -base64 36
And never allow any communications with Plimus to be transmitted without SSL.

These steps are all relatively easy to implement and will reduce the risk. Unfortunately these steps are not enough to fully secure the IPN system. That is where Plimus comes in. Plimus will have to change their API in a fundamental way to provide some level of security. These changes will not be compatible with your existing code.

I hope that Plimus will prove me wrong and they can still contact me for questions, but for now this is all I can do.