Vulnerability Note VU#705004
NETELLER Direct Payment API is not vulnerable to reported parameter manipulation
NETELLER Direct Payment API version 4.1.6 and possibly earlier versions were reported to be vulnerable to parameter manipulation via a modified HTTP POST request. After further analysis and discussion with NETELLER, this report was found to be incorrect. The NETELLER Direct Payment API is not vulnerable to the reported parameter manipulation.
NETELLER Direct Payment API version 4.1.6 was reported to be vulnerable to parameter manipulation through a modified HTTP POST request and URL redirection, which would allow a malicious user to purchase items without paying the merchant for them. After further analysis and discussion with NETELLER, the initial report was found to be incorrect. NETELLER Direct Payment API is not vulnerable to this attack.
During a NETELLER Direct Payment API purchase transaction, the purchaser provides their NETELLER account number and PIN to the merchant, who then communicates with NETELLER to complete the transaction. The merchant could use the account number and PIN to make fraudulent transactions against the purchaser's account. Presumably, fraudulent transactions would be noticed by the purchaser and subject to investigation and possible termination of the merchant's account by NETELLER.
As with most, if not all electronic payment systems, the purchaser needs to trust other parties with sensitive account and identity information. In this case, the merchant may be able to make fraudulent purchases against the purchaser's NETELLER account.
NETELLER recommends following the Direct Payment API Integration documentation.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|NETELLER||Not Affected||21 Aug 2013||03 Oct 2013|
CVSS Metrics (Learn More)
Thanks to the reporter that wishes to remain anonymous.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-3611
- Date Public: 23 Sep 2013
- Date First Published: 23 Sep 2013
- Date Last Updated: 07 Oct 2013
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.