Plimus security flaws
After a few weeks of frustrating email exchange with the Plimus security people I have decided to
write this blogpost to warn existing and potential customers of
Plimus. The apparent lack of technical knowledge on the side of Plimus and my
previous experience in their response to bug reports has given me no hope that these issues will
be addressed soon.
I will not give out any details yet, but will try to give some tips to reduce the risk of
exposure if you're a Plimus customer.
When using the IPN (Instant Payment Notification) feature of Plimus, use SSL. Plimus doesn't
enforce the use of SSL, but without it Plimus will send your customer data unencrypted over the
internet. So make sure that IPN url starts with an https://
instead of the regular
and make sure all your certificates are in order. (It's better to use SSL for
your entire store too.)
Use the IP whitelisting feature carefully. Plimus recommends you to maintain a list of IP
addresses from where you could receive an IPN from Plimus. However, there are 2
different lists on the Plimus website. One is within a piece of sample code, this whitelist is
almost 2 years old and contains IP addresses Plimus doesn't own and doesn't contain several IP's
from which Plimus is sending legitimate IPN's. The other list is more up to date. You have to
watch this list manually as there is no process for notifying customers when this list changes.
Disabling the whitelist and relying on the other security features in the IPN is something I
strongly recommend against doing.
Plimus also has a feature called Parameter protection
that can be used to sign parts
of the IPN to protect against modification of the parameters by a "man in the middle". I
recommend customers to enable this on all the parameters and choose a really long and secure
authKey. You could use the following to generate your authKey:
$ openssl rand -base64 36
And never allow any communications with Plimus to be transmitted without SSL.
These steps are all relatively easy to implement and will reduce the risk. Unfortunately these
steps are not enough to fully secure the IPN system. That is where Plimus comes in. Plimus will
have to change their API in a fundamental way to provide some level of security. These changes
will not be compatible with your existing code.
I hope that Plimus will prove me wrong and they can still contact me for questions, but for now
this is all I can do.