Vulnerability Disclosure Infosec Team todayDecember 18, 2019 3339 2 5
On 2019-03-28, Global Payments issued a commit to their SDK that introduced a vulnerability allowing man-in-the-middle attacks due to SSL integrity checking being explicitly disabled. The result of this change allowed all communications between merchants and GlobalPay to be intercepted and unencrypted. Any Merchant using a version of the SDK released between 2017-08-31 to 2019-12-10 were vulnerable to this issue.
Correction: The original version of this article indicated the vulnerable versions between 2019-03-28 and 2019-12-10, however, upon further investigation and community feedback, it appears this issue was introduced numerous times. The first commit (https://github.com/globalpayments/php-sdk/commit/a2f01f4113aae11a915613f555ee8a4762f8e299#diff-75598bd8eda8749a6e7077c2692fee50R80-R81) introduced this, and the fix was implemented for less than two days before being removed in another commit.
The following information is exposed over the wire in XML format, with example payloads included below:
Sample payload we’ve observed during vulnerability testing:
<payer> <ref>CUSTOMER_KEY</ref> <type>Retail|Subscriber</type> <title>Mr|Ms|Mrs</title> <firstname>Bob</firstname> <surname>Smith</surname> <company>Company Name</company> <address> <line1>123 Smith Street</line1> <line2>Unit 1</line2> <line3>Bob Smith</line3> <city>City</city> <county>Province or State</county> <postcode>123456</postcode> <country> <code>CA</code> </country> </address> <phonenumbers> <home>15555555555</home> <work>15555555555</work> <fax>15555555555</fax> <mobile>15555555555</mobile> </phonenumbers> <email>[email protected]</email> </payer>
<customer> <customerid>1234</customerid> <firstname>Bob</firstname> <lastname>Smith</lastname> <dateofbirth>2019-01-01</dateofbirth> <customerpassword>mys3cr3tpassw0rd?</customerpassword> <email></email> <domainname></domainname> <devicefingerprint></devicefingerprint> <phonenumber>15555555555</phonenumber> </customer>
In addition to personal information disclosure, two unique payloads were observed detailing the credit or debit card information, including the 3 security digits on the back of the card. Included below are sample payloads observed across the wire during testing:
<card> <ref>1234</ref> <payerref>CUSTOMER_KEY</payerref> <number>5152555555555555</number> <expdate>0122</expdate> <chname>BOB SMITH</chname> <type>MASTERCARD</type> </card>
<card> <number>5152555555555555</number> <expdate>0122</expdate> <chname>BOB SMITH</chname> <type>MASTERCARD</type> <cvn> <number>123</number> <presind>1</presind> </cvn> </card>
Disclosing this vulnerability was not as easy. There was no security email address and all attempts had bounced. After numerous attempts and third-party disclosure assistance, on Tuesday, November 26th, 2019 initial contact was made from Global Payments.
As of December 10th, 2019, the vulnerability has been patched in the upstream repository. The commit can be found here: https://github.com/globalpayments/php-sdk/commit/a73f8039b213ce6888df1f12e93fc3264d920f2e
2019-07-10: Initial Discovery
2019-11-26: Initial contact from VP of Information Security, Phone Call.
2019-11-26: Email sent disclosing origin of vulnerability, payloads and information.
2019-11-27: VP acknowledges information receipt.
2019-11-27: VP requests call for 1:00 PM EST with security team located in UK, call is accepted.
2019-11-27: Information pertaining to the exact two lines in the public repository are sent to VP of Information Security showing where vulnerability is.
2019-11-27: VP of Information Security acknowledges and indicates they will pass this on to security team for further analysis.
2019-12-07: VP indicates changes are being made and will advise when fix has been made available
2019-12-11: Notification that changes were made and vulnerability has been patched.
Written by: Infosec Team