search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

NETELLER Direct Payment API is not vulnerable to reported parameter manipulation

Vulnerability Note VU#705004

Original Release Date: 2013-09-23 | Last Revised: 2013-10-07

Overview

NETELLER Direct Payment API version 4.1.6 and possibly earlier versions were reported to be vulnerable to parameter manipulation via a modified HTTP POST request. After further analysis and discussion with NETELLER, this report was found to be incorrect. The NETELLER Direct Payment API is not vulnerable to the reported parameter manipulation.

Description

NETELLER Direct Payment API version 4.1.6 was reported to be vulnerable to parameter manipulation through a modified HTTP POST request and URL redirection, which would allow a malicious user to purchase items without paying the merchant for them. After further analysis and discussion with NETELLER, the initial report was found to be incorrect. NETELLER Direct Payment API is not vulnerable to this attack.

During a NETELLER Direct Payment API purchase transaction, the purchaser provides their NETELLER account number and PIN to the merchant, who then communicates with NETELLER to complete the transaction. The merchant could use the account number and PIN to make fraudulent transactions against the purchaser's account. Presumably, fraudulent transactions would be noticed by the purchaser and subject to investigation and possible termination of the merchant's account by NETELLER.

This reported vulnerability would have been an example of CWE-602: Client-Side Enforcement of Server-Side Security.

CVE-2013-3611 was originally assigned to this vulnerability.

Impact

As with most, if not all electronic payment systems, the purchaser needs to trust other parties with sensitive account and identity information. In this case, the merchant may be able to make fraudulent purchases against the purchaser's NETELLER account.

Solution

NETELLER recommends following the Direct Payment API Integration documentation.

Vendor Information

705004
 
Expand all

NETELLER Not Affected

Notified:  August 21, 2013 Updated: October 03, 2013

Status

Not Affected

Vendor Statement

The vulnerability # 705004 is not applicable to the Neteller Direct Payment API since the integration interpretation is incorrect. The advised and required integration between a Merchant and the Neteller Direct Payment API is based on the premise that the Merchants Server generates and submits the POST to Neteller API and is NOT intended to support a direct POST action from a user browser client (as a result of the Merchant's web form action). The Neteller Direct Payment API only accepts HTTPS POST method requests with the additional ability to restrict requests to registered Merchant server IP addresses. The security of the API relies on the appropriate integration between the trusted Merchant and Neteller environment.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 0 AV:N/AC:M/Au:S/C:N/I:N/A:N
Temporal 0 E:POC/RL:ND/RC:C
Environmental 0 CDP:N/TD:N/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to the reporter that wishes to remain anonymous.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3611
Date Public: 2013-09-23
Date First Published: 2013-09-23
Date Last Updated: 2013-10-07 21:53 UTC
Document Revision: 23

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis