Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IDOR. Show all posts

WordPress: Strip Payment Plugin Flaw Exposes Customers' Order Details


A critical vulnerability has recently been discovered in the WooCommerce Gateway plugin for WordPress. Apparently, it has compromised sensitive customer information related to their orders to unauthorized data. On WordPress e-commerce sites, the plugin supported payment processing for over 900,000 active installations. It was susceptible to the CVE-2023-34000 unauthenticated insecure direct object reference (IDOR) bug.

WooCommerce Stripe Payment

WooCommerce Strip Payment is a payment gateway for WordPress e-commerce sites, with 900,000 active installs. Through Stripe's payment processing API, it enables websites to accept payment methods like Visa, MasterCard, American Express, Apple Pay, and Google Pay.

About the Vulnerability

Origin of the Flaw

The vulnerability originated from unsafe handling of order objects and an improper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.

Due to these coding errors, it is possible to display order data for any WooCommerce store without first confirming the request's permissions or the order's ownership (user matching).

Consequences of the Flaw

The payment gateway vulnerability could eventually enable unauthorized users access to the checkout page data that includes PII (personally identifiable information), email addresses, shipping addresses and the user’s full name.

Since the data listed above is listed as ‘critical,’ it could further lead to additional cyberattacks wherein the threat actor could attempt account hijacks and credential theft through phishing emails that specifically target the victim.

How to Patch the Vulnerability?

Users of the WooCommerce Strip Gateway plugin should update to version 7.4.1 in order to reduce the risks associated with this vulnerability. On April 17, 2023, specialists immediately notified the plugin vendor of the vulnerability, CVE-2023-34000. On May 30, 2023, a patch that addressed the problem and improved security was made available.

Despite the patch's accessibility, the concerning WordPress.org data point to risk. The truth is that unsafe plugin versions are still being used by more than half of the active installations. The attack surface is greatly increased in this situation, which attracts cybercriminals looking to take advantage of the security flaw.

Adding to this, the gateway needs safety measures to be taken swiftly like updating version 7.4.1 and ensuring that all plugins are constantly updated, and keeping an eye out for any indications of malicious activities. Website supervisors can preserve sensitive user data and defend their online companies from potential cyber threats by giving security measures a first priority.

Facebook Patched a Vulnerability that Exposed the Identity of Page Admins

 

Facebook gave a $4,750 bug bounty reward to a teenage researcher from Nepal for discovering a vulnerability that might have been abused to reveal the identity of a page's administrator. Businesses can use Facebook Pages to boost brand visibility on the social media network, but the Facebook account that has administrative rights over the page stays private. Sudip Shah, a 19-year-old from Pokhara, Nepal, identified an insecure direct object reference (IDOR) vulnerability in Facebook for Android that may be abused to reveal the identity of the page admin. 

Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied input. The term IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access controls being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur in the context of vertical privilege escalation. 

Consider a website that accesses the customer account page via the URL https://insecure-website.com/customer account?customer number=132355 by retrieving information from the back-end database. In this case, the customer number is directly used as a record index in queries made on the back-end database. If no other restrictions are in place, an attacker can simply change the customer number value, allowing them to examine the records of other customers while avoiding access controls. This is an example of an IDOR vulnerability that results in horizontal privilege escalation. 

Shah noticed that altering the page id in a request containing a vulnerable endpoint resulted in the broadcaster id parameter in the response containing the admin ID while navigating to another page's live video section in Facebook for Android. “It leads to page admin disclosure which is a privacy issue to the page. The impact is high because the page’s admin information is meant to be kept private and not shown to the public,” the researcher says. 

The issue only affected pages with a live video function enabled, although Shah believes that most pages were affected because the feature is present on the majority of them. He further notes that an attacker would have needed a script to automatically modify the page id in the request and capture the broadcaster id in the response for mass exploitation.

The researcher also found a variation of the security flaw in which the attacker might have the admin ID disclosed in the response by including a modified live_video_id in the request. The underlying source of the issue, however, remained the same.

Typeform Patched an Information Hijacking Vulnerability

 

Online survey and form creation tool Typeform allows clients to make website pages for easy information gathering from clients. Each such form made on the platform has a special "form ID, for example, hHXhmf, which on account of publicly accessible surveys might be listed via search engines. Typeform's systems utilize this form ID all throughout work processes to monitor form submissions and transmit gathered information between various parts of the application. Under typical conditions, information on this form ID would just allow any client to access and fill the corresponding survey. A serious vulnerability in Typeform implied, assailants could secretly accumulate responses put together by respondents for virtually any form, should they know about this ID. 

 Typeform's bug tracker Ronak Patel recently gave details on an Insecure Direct Object Reference (IDOR) bug that affected "an application [used] to create structures for surveys, quiz and more." IDOR vulnerabilities happen when a system object which has a reference that can be accessed in an unapproved way directly by clients. For this situation, the object implies a Typeform form/survey and the reference is the "form_id" that can allow assailants to take advantage of the information submitted for a form.

Typeform permits integration of applications and web services like Google Analytics and Zendesk Sell to help upgrade the handling of form submissions. For instance, survey creators can utilize the Zendesk Sell application and guide the survey response fields to the Zendesk Sell fields in their account for data analysis. Patel made a test Zendesk Sell account and incorporated it with his Typeform account. He noticed the network requests, including the GET and POST fields, being traded among Typeform and Zendesk Sell all throughout the integrated workflow. Then the "form_id" field, drew his attention.

The researcher moreover made an "attacker's" Zendesk Sell account for testing and saw it was conceivable to tamper with the "form_id" field being communicated in the integration request to an arbitrary value, for example, the form_ID of a Typeform survey belonging to the victim. This implies cybercriminals could reap the gathered survey responses inside their Zendesk Sell accounts, with the survey creator having no information on the unlawful activity occurring. 

Patel states the vulnerability was found by him around six months ago and fixed two months ago by the platform.