Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Payment Gateway Firm. Show all posts

WordPress: Strip Payment Plugin Flaw Exposes Customers' Order Details


A critical vulnerability has recently been discovered in the WooCommerce Gateway plugin for WordPress. Apparently, it has compromised sensitive customer information related to their orders to unauthorized data. On WordPress e-commerce sites, the plugin supported payment processing for over 900,000 active installations. It was susceptible to the CVE-2023-34000 unauthenticated insecure direct object reference (IDOR) bug.

WooCommerce Stripe Payment

WooCommerce Strip Payment is a payment gateway for WordPress e-commerce sites, with 900,000 active installs. Through Stripe's payment processing API, it enables websites to accept payment methods like Visa, MasterCard, American Express, Apple Pay, and Google Pay.

About the Vulnerability

Origin of the Flaw

The vulnerability originated from unsafe handling of order objects and an improper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.

Due to these coding errors, it is possible to display order data for any WooCommerce store without first confirming the request's permissions or the order's ownership (user matching).

Consequences of the Flaw

The payment gateway vulnerability could eventually enable unauthorized users access to the checkout page data that includes PII (personally identifiable information), email addresses, shipping addresses and the user’s full name.

Since the data listed above is listed as ‘critical,’ it could further lead to additional cyberattacks wherein the threat actor could attempt account hijacks and credential theft through phishing emails that specifically target the victim.

How to Patch the Vulnerability?

Users of the WooCommerce Strip Gateway plugin should update to version 7.4.1 in order to reduce the risks associated with this vulnerability. On April 17, 2023, specialists immediately notified the plugin vendor of the vulnerability, CVE-2023-34000. On May 30, 2023, a patch that addressed the problem and improved security was made available.

Despite the patch's accessibility, the concerning WordPress.org data point to risk. The truth is that unsafe plugin versions are still being used by more than half of the active installations. The attack surface is greatly increased in this situation, which attracts cybercriminals looking to take advantage of the security flaw.

Adding to this, the gateway needs safety measures to be taken swiftly like updating version 7.4.1 and ensuring that all plugins are constantly updated, and keeping an eye out for any indications of malicious activities. Website supervisors can preserve sensitive user data and defend their online companies from potential cyber threats by giving security measures a first priority.

Chinese Loan App Case: ED Freezes Rs 46.67 Crore Worth Funds Of Payment Gateway Apps

 

The Enforcement Directorate has carried out raids against Chinese “controlled” loan apps and investment tokens. The ED froze Rs. 46.67 cr. worth funds kept at the Bengaluru premise of payment gateways accounts of Easybuzz, Razorpay, Cashfree, and Paytm in connection with the HPZ token case over alleged irregularities in the operation of instant app-based loan-giving companies that are controlled by Chinese personals. The funds have been frozen and seized under the Prevention of Money Laundering Act (PMLA).

The investigation was carried out on September 14th at various business and residential premises in Delhi, Ghaziabad, Mumbai, Lucknow, and Gaya over the money laundering case probed against an app-based token named HPZ and related entities. The case is based on an FIR filed in October 2021, registered by the Kohima police’s cybercrime unit in Nagaland.

According to the ED, the HPZ token was an app-based token that lured victims to invest in the company, promising a doubling of their investments and large gains to the customers against investments by investing in mining machines in bitcoins and other cryptocurrencies.

“Payments were received from users through UPIs and other payment gateways/ nodal gateways/ individuals. Part amount was paid back to the investors and remaining amount was diverted to various individuals and company accounts through various payment gateways/ banks from where partly it was siphoned off in digital/virtual currencies. After that, the fraudsters stopped the payments and the website became inaccessible” states the ED.

Allegedly, the companies sourced the personal data of the victims at the time of downloading the loan apps even when their interest rates were “unsurious”. ED thus initiated a probe under the criminal sections of the PMLA after many debtors reportedly ended their lives. The debtors were being harassed and threatened by these loan app companies over the personal data available on their phones. The ED claims, that one such Loan app entity, labeled M/s Mad- Elephant Network Technology Private Limited in an agreement with X10 Financial Services Limited was operating several loan apps, namely Yo-Yo cash, Tufan Rupees, Coco cash, etc.) Similarly, Su Hui Technology Private Limited, in agreement with M/s Nimisha Finance India Private Limited, had operated loan apps.

In a meeting held on September 8, Finance Minister Nirmala Sitaraman reviewed the issues pertaining to the illegal loan apps. The meeting was attended by top officials from the ministry and RBI officials. It is being decided that appropriate measures shall be taken to check the operations of such apps. 

Payment Gateway Firm Razorpay Loses ₹7.3 Crore in Cyber Fraud Incident

 

The South East cybercrime police are investigating a fraudulent case where a hacker stole ₹7.3 crores over three months by exploiting the authorization process of Razorpay Software Private Limited, a payment gateway company to authenticate 831 failed transactions. 

The fraud came to light when officials of the payment gateway company Razorpay Software Private Limited conducted an audit of the transactions, and they couldn’t accommodate the receipt of Rs. 7,38,36,192 against 831 transactions. 

Razorpay Software Private Limited was founded by Shashank Kumar and Harshil Mathur in 2015. The company offers online payment services that allow businesses in India to collect payments via credit card, debit card, net banking, and wallets. 

On May 16, Abhishek Abhinav Anand, head of Legal Disputes and Law Enforcement at Razorpay Software Private Limited, lodged a complaint with the South East cybercrime police. The police are currently attempting to track down the hacker on the basis of online transactions.
 
An internal probe has revealed that some person or persons have tampered with and manipulated the authorization and authentication process. As a result, false ‘approvals’ were sent to Razorpay against the 831 failed transactions, resulting in a loss amounting to ₹7,38,36,192. The company provided details of the 831 failed transactions, including date, time, IP address, and other relevant information to the police. 

"Razorpay's payment gateway is at par with the industry standards on data security. During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites that used an older version of Razorpay's integration, due to gaps in their payment verification process. The company has conducted an audit of the platform to ensure no other systems, no merchant data, and funds, and neither their end-consumers were affected by this incident,” Razorpay’s spokesperson stated. 

According to the ministry of electronics and information technology (Meity), between 2018 and 2021, there was an over a five-fold jump in the number of cybercrime and fraud incidents recorded by the government. 

Basically, the number of incidents surged from 208,456 in 2018 to 1,402,809 in 2021, as per the Data available with the Indian Computer Emergency Response Team (Cert-In). Indian Computer Emergency Response Team is the government agency for computer security.