Many people know that Vkontakte has the opportunity to replenish the balance with bank cards. Payment acceptance is realized through Master Bank processing, and at first glance it seems quite safe. There are SSL and Verified by Visa / MasterCard SecureCode security protocols, and a statement that “Any information transmitted to this page is secure and protected by special means.” But, convincing us of the SSL and Visa / MasterCard security protocols, Master Bank did not take care at all about the security of its own protocol.
The protocol through which a merchant forms a payment transaction and sends it to Master Bank allows you to change the parameters in the POST request and substitute any desired information there. Taking advantage of this, a potential fraudster can create a website where he offers some services, for example, taking a mobile phone account replenishment. The fraudster in advance generates requests for payment by card from his Vkontakte account, thereby having a set of valid ORDER values.
Next, he asks the client on the mobile phone replenishment page of his site to enter the mobile phone number and redirects him to the Master Bank payment page, replacing the name, description of the merchant and the amount with the necessary values so that the client has no doubts. An example of a substituted POST request for the Master Bank payment page:
input type='hidden' name='AMOUNT' value='_'
input type='hidden' name='CURRENCY' value='RUB'
input type='hidden' name='ORDER' value='__'
input type='hidden' name='DESC' value=' '
input type='hidden' name='MERCH_NAME' value=' '
input type='hidden' name='MERCH_URL' value='http//popolni.mobilnik.online.ru'
input type='hidden' name='MERCHANT' value='710000000837464'
input type='hidden' name='TERMINAL' value='71837464'
input type='hidden' name='EMAIL' value=''
input type='hidden' name='TRTYPE' value='0'
input type='hidden' name='COUNTRY' value=''
input type='hidden' name='MERC_GMT' value='3'
input type='hidden' name='TIMESTAMP' value=' '
input type='hidden' name='BACKREF' value='vk'
Thus, the cardholder will be redirected to the card details input page.
Hoping that since he is on the trusted site of the bank, then the merchant can be trusted. The funds will be debited from the cardholder's account, and the votes will be credited to the account of the fraudster Vkontakte. The fraudster does not provide a mobile phone recharge service; Vkontakte spends voices on advertising or other services.
Vulnerability tested, as can be seen, the funds were credited to the account Vkontakte.
PS The information is published naturally after the technical support of Master Bank and Vkontakte were informed about the vulnerability. Even a comment was received from VKontakte that the fact of vulnerability is small, but likely.