In the previous blog post, Paying less for more in Drupal Commerce through the Authorize.Net SIM/DPM, I described the vulnerability found in the Drupal Commerce Authnet SIM/DPM module. This time I decided to look into other eCommerce platforms and to find similar vulnerabilities.
I've picked the WooCommerce, an eCommerce plugin for Wordpress, which became very popular over the recent years. There are several paid modules that integrate WooCommerce and Authorize.net, but they cost around $70 and their source code may be closed. So I decided not to analyse them and to concentrate more on the Open Source products.
Fortunately I've found a free and Open Source plugin for the Wordpress called Authorize.net Payment Gateway For WooCommerce that works using Server Integration Method (SIM). According to stats it was downloaded more than 11,000 times since it was created. There are also sources of this plugin on the GitHub.
Follow next steps to reproduce my findings.
1. Study the code
The first thing I looked was the code. If we take a look on the payment confirmation function, we can notice, that the plugin does not check if the the POST request was really signed by the Authroize.net. So it allows an attacked to send a fake request to the website thus to complete an order for free.
Now let's see how to use this vulnerability.
2. Make and order
On the checkout step, select Ahorize.net as a payment option and click the Place Order button.
3. Get an Order ID
When seeing a payment form, open a browser inspector and get the Order ID value from the hidden x_invoice_num field.
4. Send a fake POST request to the WooCommerce
I use Postman - REST Client, a Chrome extension, which allows to send POST requests and to test your website. Specify x_invoice_num and x_response_code, which are mandatory fields. 1 means that payment was successful. You can also set x_amount and x_MD5_hash, though the current plugin completely ignores these fields.
5. Get a response
If you are able to see a response with a confirmation link, then that order was complete.
6. Open a confirmation link
To make sure an order was successful, open a confirmation link! Here we are! We just completed an order and haven't even spent a single penny.
I would say this issue has a high severity as it allows anyone to buy anything for free bypassing Authorize.net. The only way how you can distinguish real orders from fake ones is to check transactions manually in Authorize.net merchant area.
How to fix it
There are several improvements that can be done:
- Verify a response from the Authorize.net using signature stored in the x_MD5_hash field.
- Log a whole $_POST array so it would be easy to analyse requests and find fake ones.
- According to the official SIM/DPM docs, pass Order ID through the fp_sequence field. This field is signed by an MD5 hash, so it won't possible to modify it and to cheat an online store as I did once with Drupal Commerce.
- Check the Transaction ID and amount fields which are stored on the Authorize.net match ones stored in the WooCoomerce.
The image used in teaser shows the Robin Hood statue in Nottingham. The reason why I peaked this image is that you can't really use this vulnerability for your own purpose, at least because it would be easy to find you. Well, I suggest you never to use any vulnerability for a personal or whatever reason. The purpose if this article is to make web more secure! So, please, make web and not war (c) :).
It looks like this module was delete from the Wordpress.com, but it still exits on the GitHub.com.