Links search - getting data about Portmone and Fidobank clients
The identical problem of link selection, described here “ User data leakage in QIWI ” in July and here “ Tinkoff Bank compromised customer account statements? ” In August, was found by me at Ukrainian companies Portmone.com and Fidobank even earlier.
I must say that these problems are already closed. However, there are others . I will write about those and others.
')
Who read the above posts, understand what will be discussed below. For others, I will say briefly: there is (more precisely, existed) the ability to obtain data on the operations of clients of these companies.
I will start in order (the errors are, in fact, completely identical).
After the payment for the service, Fidobank in their Internet banking (i.e., it was necessary to be registered with the client and log into the account) had the opportunity to download a receipt for this payment / purchase. It was a long link type https://fidomarket.ua/purchase-history?p_p_id=historyportlet_WAR_fidoportlet&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_cacheability=cacheLevelPage&p_p_col_id=column-3&p_p_col_count=1&_historyportlet_WAR_fidoportlet_format=pdf&_historyportlet_WAR_fidoportlet_orderNum=XXXXXXXXXX&_historyportlet_WAR_fidoportlet_prodtype=Deposit (336 characters, by the way, pulled her out of page code).
And this link was opened without authorization.
It was enough to change the “orderNum” parameter and the site gave someone else's PDF.
There is nothing confidential in these receipts ( lucky ), so here is:
Although I came across more interesting options (I note, transactions were performed using Internet banking):
After my message, the error was closed fairly quickly. I am glad that the bank has a special box for reporting security problems. Although with some answers to the situations I sent, I disagree. As an example: when transferring from card to card (about this site, by the way, there was one article on Habré), an authorization code is sent for security. Previously (I did not check it for a long time), after the first transfer operation was completed, if another transfer was made within ten minutes, the authorization code was not sent again — the current one was used. The staff insisted that it was normal and safe enough. And I think the bank just saved on SMS)
So, Portmone. After payment for services on the page of this company shows a message about the successful completion of the operation with the ability to download a receipt in PDF. Reference of the form portmone.com.ua/r3/uk/services/receipts/get-receipts/shop-bill-id/XXXXXXXXXXXXXXXXXXXX . Going through the characters at the end, you can download the receipts of the clients of the site (the site did not ban in the selection). The most popular were mobile phone recharges:
however, there were other fees:
Receipts were available for previous years (on the left side, in the middle: “Paid (Paid): 04.06.2010”):
This company also corrected the situation quite quickly, and now instead of the nameless “receipts.pdf” a file is downloaded in the format “date of payment Paid service.pdf” is a trifle, but nice. Now the link has the same format, but the end is now 129 characters instead of 19: https://www.portmone.com.ua/r3/services/receipts/get-receipts/shop-bill-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .
By the way, let me tell you about transfers from card to card .
Some sites make it possible not only to transfer money from card to card, but also to create a link in which the number of the card you specified and the amount will be “sewn up” (optional). As Portmone.com writes, " Senders of transfers by clicking on this link will be able to transfer money from their card to yours online ." This service is useful in cases where you need to receive a transfer, but you do not want to disclose your card number: " Send the link to the sender by clicking on it, your card number and amount if it was specified " will be filled in , quote from Privat.
Here's what it looks like on the EasyPay website:
So on PrivatBank site:
And so - on the website Portmone:
Feel the difference? They do not hide the card number. (This is a test card, I’m not afraid to post it on the Internet. If you want to transfer money to mejust for testing purposes, I’ll give you the number of another card ;-)
In general, I will finish like this: mistakes are everywhere. The main thing is to find them.
I must say that these problems are already closed. However, there are others . I will write about those and others.
')
Who read the above posts, understand what will be discussed below. For others, I will say briefly: there is (more precisely, existed) the ability to obtain data on the operations of clients of these companies.
I will start in order (the errors are, in fact, completely identical).
After the payment for the service, Fidobank in their Internet banking (i.e., it was necessary to be registered with the client and log into the account) had the opportunity to download a receipt for this payment / purchase. It was a long link type https://fidomarket.ua/purchase-history?p_p_id=historyportlet_WAR_fidoportlet&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_cacheability=cacheLevelPage&p_p_col_id=column-3&p_p_col_count=1&_historyportlet_WAR_fidoportlet_format=pdf&_historyportlet_WAR_fidoportlet_orderNum=XXXXXXXXXX&_historyportlet_WAR_fidoportlet_prodtype=Deposit (336 characters, by the way, pulled her out of page code).
And this link was opened without authorization.
It was enough to change the “orderNum” parameter and the site gave someone else's PDF.
There is nothing confidential in these receipts ( lucky ), so here is:
Although I came across more interesting options (I note, transactions were performed using Internet banking):
After my message, the error was closed fairly quickly. I am glad that the bank has a special box for reporting security problems. Although with some answers to the situations I sent, I disagree. As an example: when transferring from card to card (about this site, by the way, there was one article on Habré), an authorization code is sent for security. Previously (I did not check it for a long time), after the first transfer operation was completed, if another transfer was made within ten minutes, the authorization code was not sent again — the current one was used. The staff insisted that it was normal and safe enough. And I think the bank just saved on SMS)
another example
If you search for their deposits in Google, you get a sub-site that Chrome doesn’t want to display:
Chrome does not show it to me even if in the address I try to remove the letter "S".
By the way, now Firefox, Opera and IE open this site without error, but I still have screenshots where this error appears in any of them.
But the sites of banks is that. The other day, another Ukrainian bank, Forward, missed the deadline for renewing a domain (already restored).
Chrome does not show it to me even if in the address I try to remove the letter "S".
By the way, now Firefox, Opera and IE open this site without error, but I still have screenshots where this error appears in any of them.
But the sites of banks is that. The other day, another Ukrainian bank, Forward, missed the deadline for renewing a domain (already restored).
So, Portmone. After payment for services on the page of this company shows a message about the successful completion of the operation with the ability to download a receipt in PDF. Reference of the form portmone.com.ua/r3/uk/services/receipts/get-receipts/shop-bill-id/XXXXXXXXXXXXXXXXXXXX . Going through the characters at the end, you can download the receipts of the clients of the site (the site did not ban in the selection). The most popular were mobile phone recharges:
however, there were other fees:
Receipts were available for previous years (on the left side, in the middle: “Paid (Paid): 04.06.2010”):
This company also corrected the situation quite quickly, and now instead of the nameless “receipts.pdf” a file is downloaded in the format “date of payment Paid service.pdf” is a trifle, but nice. Now the link has the same format, but the end is now 129 characters instead of 19: https://www.portmone.com.ua/r3/services/receipts/get-receipts/shop-bill-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .
And then there is a bank that, after the introduction of 3-D Secure, the CVV check fell off
I simply entered three units into the CVV / CVC field, received an SMS with a 3-D Secure code and the payment was successful. I tried to carry out the same operation with PrivatBank card - I received the error message "Incorrect CVV or card expiration date". And on the card of the unnamed bank now, the operation with the wrong CVV has passed, checked several times.
By the way, let me tell you about transfers from card to card .
Some sites make it possible not only to transfer money from card to card, but also to create a link in which the number of the card you specified and the amount will be “sewn up” (optional). As Portmone.com writes, " Senders of transfers by clicking on this link will be able to transfer money from their card to yours online ." This service is useful in cases where you need to receive a transfer, but you do not want to disclose your card number: " Send the link to the sender by clicking on it, your card number and amount if it was specified " will be filled in , quote from Privat.
Here's what it looks like on the EasyPay website:
So on PrivatBank site:
And so - on the website Portmone:
Feel the difference? They do not hide the card number. (This is a test card, I’m not afraid to post it on the Internet. If you want to transfer money to me
In general, I will finish like this: mistakes are everywhere. The main thing is to find them.
Source: https://habr.com/ru/post/267121/
All Articles