10:50 Vkontakte and master Bank presented on a plate to fraudsters great vulnerability related to bank cards | |
| Many people know that Vkontakte have the opportunity to replenish the balance of bank cards. Accepting payments realized through processing Master Bank, and at first glance it seems quite safe. Then the security protocols SSL and Verified by Visa / MasterCard SecureCode, and the statement that "Any information passed to this page, be safe and protected by special means." But, convincing us safe SSL and Visa / MasterCard, Master Bank has not taken care of the safety of their own protocol. Protocol by which a trader creates a payment transaction and sends it to the Master of the Bank, allows to substitute the parameters in POST request and substitute there any information you wish. Using this, the potential fraudster can create a site where he offers some of the services we take for example refill your mobile phone. Rascal advance generates requests for payment card from your account Vkontakte, having thus a set of valid values ??ORDER. Next page replenish it a mobile phone of the site asks the client to enter a phone number, and forwards it to the payment page Master Bank, replacing the name, description, merchant and the amount of the required values ??to the client there are no doubts. Example changeling POST request to the payment page of the Bank Master: input type = 'hidden' name = 'AMOUNT' value = 'lyubaya_summa' input type = 'hidden' name = 'CURRENCY' value = 'RUB' input type = 'hidden' name = 'ORDER' value = 'сгенерированное_предварительно_значение' input type = 'hidden' name = 'DESC' value = 'Updating your mobile phone' input type = ' hidden 'name =' MERCH_NAME 'value =' Shop online refill ' input type =' hidden 'name =' MERCH_URL 'value =' http / / popolni.mobilnik.online.ru ' input type = 'hidden' name = 'MERCHANT' value = '710000000837464 ' input type =' hidden 'name =' TERMINAL 'value = '71837464' input type = 'hidden' name = 'EMAIL' value ='' input type = 'hidden' name = 'TRTYPE' value = '0 ' input type =' hidden 'name =' COUNTRY 'value ='' input type =' hidden 'name =' MERC_GMT 'value = '3' input type = 'hidden' name = 'TIMESTAMP' value = 'current date' input type = 'hidden' name = 'BACKREF' value = 'vk' So, kardholder will be redirected to enter card details. Hoping that once he is on a trusted bank site, that means a trader can be trusted. Funds will be debited from the account kardholdera, but rather to the fraudster Vkontakte will be enrolled to vote. Rascal recharge a mobile phone service does not provide, voice Vkontakte spends on advertising and other services. A vulnerability has been tested, as can be seen, the funds were credited to the account Vkontakte. P.S. Information published by naturally after the tech support wizard Bank and Vkontakte were informed of the vulnerability. From Vkontakte even received a comment that the vulnerability of small, but likely. | |
|
| |
| Total comments: 0 | |