19/04/2012 by Antonin le Faucheux & Philippe Humeau
Affected versions: EE pre 1.10.1 & CE pre 1.5, on sites offering PayPal checkout http://www.nbs‐system.co.uk
Vulnerability in Magento's implementation of PayPal
The flaw is related to the way Magento has integrated the PayPal payment gateway. Knowing that both companies are part of the same group, it may seem a bit weird but this advisory has been tested and confirmed. Technically speaking, the flaw is both related to PayPal and to Magento. (PayPal not checking enough, Magento relying on browser side mechanism security)
What is true here for Magento is also quite spread in other framework/sites as well.
One customer alerted us and we investigated the flaw that is detailed in this article. Fortunately, in the case of this client, he was conducting a manual double check that helped him to mitigate the attack. Some others were not so wise or lucky.
Why disclose this vulnerability?
Knowing that pirates, crawling Google in search for exploits will fall on this, why take the risk to publish it ?
The reason is simple: through various sources, we know that this vulnerability is actively exploited since a while and therefore it represents a real threat. To put it simple: Hackers are already aware but not the victims, thus keeping it under secrecy mainly profit the bad guys.
The flaw was sent to Magento and has already been corrected in later versions (EE>1.10.1 or CE> 1.5). Alas, Magento is an adept of "silent patching," which could be translated as "correct security problems without warning anyone so that everyone believe the garden is perfectly green". So even if the fault is corrected in the upstream versions, no official release of Magento Inc has been made to inform its customers that this vulnerability exists and allow them to protect themselves.
The second problem is that the company doesn't release patch for the product, meaning that to correct it, either you upgrade to a later version (which is never an easy thing for an ecommerce site) or you patch it yourself. And since Magento is an opensource platform, this is easily doable!
This article aims to explain this vulnerability and propose a solution for owners of vulnerable websites. The flaw was revealed to us by an EE version customer (which does not want his name disclosed) and the patch has been developed by the agency DnD (www.dnd.fr).
Exploitation de la faille
Step 1: Place an order
We are on our favorite shop, offering a PayPal checkout and we have put a product in the cart. (this works also with several items)
(screenshots taken from a french customer website, not translated sorry, but I bet you are pretty familiar with these screens anyway)
Once we added the product to our cart and chose the delivery method, we reach a total of 132,00€, VAT included.
Step 2: Interception & modification
Once we validated, we choose PayPal and validate. By actively intercepting the outgoing traffic from our browser with a BURP proxy, we can watch the content of what is indeed sent to PayPal. In the traffic, we find a very interesting frame :
This request contains numerous data but the one attracting all our attention is at the end. We can find there our article price, as a parameter of the request, in clear text: 97,83 €, the VAT rate and the delivery price.
This data being the one sent from our browser to PayPal, we can temper with the content and sent altered data and get a "very good discount rate".
By modifying the request parameter, we now have price of 1.5 €, and we set also the delivery price to 0,5 €. 2 € instead of 132 € is an appreciable discount, let's see how the checkout goes:
Ok, no problem, no verification, hence our 2 € allowed us to validate our 132 € valued order. The data sent from the browser are taken as reliable... Browser side security (especially when not encrypted) is never safe...
Step 3: Check that Magento has a positive return
Ok, we pay then and let's check what Magento will get as a return from PayPal.Magento had a go from PayPal, thanks for your business...
In the dashboard, we can see that the order of an amount of 132 € is in processing state. Of course, if you plugged your site to an automated system to deliver, the packet is already gone.
In the details of the order, we can see that the order show a 132 € amount and not the 2 € really paid. If you don't manually check every payment before sending the goods, there is no way to detect the fraud. Some have already lost tens of thousands of goods and maybe more for some others.
Exploiting the flaw really requires only a script kiddy level. Anyone can do it at home, which makes it even more spread and dangerous.
Now that the fire is in the hole, let's protect the websites!
Patcher la faille
The solution explained here is brought to you by one of the first-in-class Magento Web agency (Agence DnD, www.dnd.fr) that worked with a customer and PayPal to fix this. The goal is to cipher the exchange taking place between the browser and the PayPal servers. A general description of the method can be found on PayPal's website:
https://cms.PayPal.com/fr/cgi-bin/marketingweb?cmd=_render-content&fli=true&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P0B30
Step 1 : Generating the private key and the public certificate
You can generate your keys online or with the OpenSSL command or using the following website :
http://www.stellarwebsolutions.com/certificates/stellar_cert_builder.php
The OpenSSL CLI or the site will help you generated the required items. (OpenSSL is the safest way if you execute it in a safe place since you don't have to trust anyone else but you)
Place the files in the folder lib/PayPal of your Magento installation.
PS: it's recommended to add a random prefix to your private key in order to avoid an attacker guessing/bruteforcing attempt. Check also that your rights & ownership on the file are properly set.
Step 2: Configuring Paypal to use the certificate
(Translated, the exact name of menus can be slightly different)
1. Connect to your PayPal account
2. Go to profile tab
3. In the column "Vendor preferences", click on "Payment Certificates on merchant site" 4. Click on "Add"
5. Click on explore and select your public certificate (ie "12345010577c235ac3b483a40518ghk-pubcert.pem")
6. Once your public certificate is online, it should appear in the place named « Your public certificates » 7. Keep note of the Cert ID, you'll need it later on
8. Download PayPal public certificate
Step 3: Install the certificate in Magento
1. Place PayPal's public certificate in the folder "lib/PayPal" of your Magento site
2. Edit the file named app/code/local/Mage/PayPal/Block/Standard/Redirect.php and add the Cert ID that you saw on PayPal's site
Step 4: Check everything is now ok
If we sniff the request again, we now see a totally ciphered content, parameters included. We are not able anymore to temper with the exchanges between the browser and PayPal's servers.
