Fog Creek Software
Discussion Board

Payflow Link exploit

This security exploit has particular meaning to me as I finalize the spec for our own commerce site.

Michael H. Pryor
Monday, January 7, 2002

Thanks for letting us know how we can get Fog Creek products for free ;)

Jan Derk
Monday, January 7, 2002

We don't use Payflow thankfully! ;-)

Michael H. Pryor
Monday, January 7, 2002

Unfortunately, many e-commerce gateways have flaws of this sort.  If it isn't already obvious, you should completely avoid any system where viewable HTML forms contain your specific information such as login id's, amount's, etc...  Most gateways do offer API's though to get around such issues.

Tuesday, January 8, 2002

I disagree. The PayPal interface is totally open via simple FORM POSTs but it's air-tight from a security standpoint.

Further, by using a web interface, customers need not provide their financial information to each and every merchant they do business with. This is not possible via a "direct" interface and is one of the primary manners in which credit card information ends up in fraudulent hands.

Patrick Breitenbach
Thursday, January 10, 2002

It's funny. This exploit is rather wide-spread among the credit card gateways. The usual practice is simply redirect the customer to the merchat's site with some indicationof the approval in the POST request. These are easiest to break in.
The more complicated systems (like Payflow) send a separate http reqiest to the merchant site, which is linvisible for the client. A knowledge of that invisible URL is required to break through the system. And the merchant still has the option to filter the requests depending on the IP address - it should expect requests to this URL from the Verisign servers only.
These techniques require some development efforts. I think such guys as use the reliable monetery transaction systems, while simple cheap pages can rely on the URL ending with "?Accepted=True" passed via GET method :)

Sinclair Evilguest
Monday, January 28, 2002

*  Recent Topics

*  Fog Creek Home