Vulnerability Note VU#705004

NETELLER Direct Payment API is not vulnerable to reported parameter manipulation

Original Release date: 23 Sep 2013 | Last revised: 07 Oct 2013

Overview

NETELLER Direct Payment API version 4.1.6 and possibly earlier versions were reported to be vulnerable to parameter manipulation via a modified HTTP POST request. After further analysis and discussion with NETELLER, this report was found to be incorrect. The NETELLER Direct Payment API is not vulnerable to the reported parameter manipulation.

Description

NETELLER Direct Payment API version 4.1.6 was reported to be vulnerable to parameter manipulation through a modified HTTP POST request and URL redirection, which would allow a malicious user to purchase items without paying the merchant for them. After further analysis and discussion with NETELLER, the initial report was found to be incorrect. NETELLER Direct Payment API is not vulnerable to this attack.

During a NETELLER Direct Payment API purchase transaction, the purchaser provides their NETELLER account number and PIN to the merchant, who then communicates with NETELLER to complete the transaction. The merchant could use the account number and PIN to make fraudulent transactions against the purchaser's account. Presumably, fraudulent transactions would be noticed by the purchaser and subject to investigation and possible termination of the merchant's account by NETELLER.

This reported vulnerability would have been an example of CWE-602: Client-Side Enforcement of Server-Side Security.

CVE-2013-3611 was originally assigned to this vulnerability.

Impact

As with most, if not all electronic payment systems, the purchaser needs to trust other parties with sensitive account and identity information. In this case, the merchant may be able to make fraudulent purchases against the purchaser's NETELLER account.

Solution

NETELLER recommends following the Direct Payment API Integration documentation.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
NETELLERNot Affected21 Aug 201303 Oct 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 0.0 AV:N/AC:M/Au:S/C:N/I:N/A:N
Temporal 0.0 E:POC/RL:ND/RC:C
Environmental 0.0 CDP:N/TD:N/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to the reporter that wishes to remain anonymous.

This document was written by Adam Rauf.

Other Information

  • CVE IDs: CVE-2013-3611
  • Date Public: 23 Sep 2013
  • Date First Published: 23 Sep 2013
  • Date Last Updated: 07 Oct 2013
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.