Mastercard Internet Gateway Service: Hashing Design Flaw

I had reported the hash collision bug via Bugcrowd (independently but after OP). Their response was they have upgraded from MD5 to SHA256 when the bug itself has nothing to do with encryption type but rather how you construct your string. They had asked their clients to upgrade to SHA256 version of sdk saying it will provide better security than MD5 but actually in that version they sneakily updated the way they constructed the string (which was the actual problem) and no one knows about this. They should atleast be true to their customers who use their sdk for payments.<p>Edit: My report to them: <a href="https:&#x2F;&#x2F;imgur.com&#x2F;1f2jU05" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;1f2jU05</a>

In case anyone is wondering, the bug class this belongs to is &quot;canonicalization attacks&quot;. Colin Percival has a good one in the old AWS API.<p><a href="http:&#x2F;&#x2F;www.daemonology.net&#x2F;blog&#x2F;2008-12-18-AWS-signature-version-1-is-insecure.html" rel="nofollow">http:&#x2F;&#x2F;www.daemonology.net&#x2F;blog&#x2F;2008-12-18-AWS-signature-ver...</a>

What&#x27;s with this weird message flow where everything flows through the client -- is this a &quot;feature&quot; of 3D Secure?<p>I&#x27;ve implemented plenty of CC billing over the years but always submitting from the backend server to the merchant API directly - never from the client (that includes Stripe-like JS solutions).<p>Classic blunder for a backend to trust the client to handle the &#x27;amount&#x27; field in any way. Feels a lot like the good old &quot;store the cart total in a hidden field and trust it verbatim&quot; bugs all the shopping carts used to have!

&gt; To exploit this we need to construct a string which will be a valid request, and also a valid MIGS server response.<p>Whoa, crypto 101 fail.<p>In a secure channel between two parties, you either key the two directions differently or you explicitly mark the directions in the authenticated data. You never really on the next layer down to notice the the message was produced by the wrong party.<p>From looking at the example messages in the article, it&#x27;s totally unclear to me that anything binds the response to the request that generated it, either. This could make replay attacks possible. Or maybe even more fun attacks: buy two things, but cancel one partway through and use its MIGS reply for the other one.

Interesting vulnerabilities!<p>For the USA-based folks missing the context, the article describes vulnerabilities in a system called 3D Secure, also known as MasterCard SecureCode, and Verified By Visa.<p>It was really popular like 10 years ago in the US, too — the banks would let or require you to set credentials for online purchases for your credit card number, usually on first use with an online vendor like Newegg. Of course, it was implemented by a third party on each bank&#x27;s behalf, so, for better or worse, it was a separate set of credentials than your online banking. And, of course, being implemented by a third party, there was no sign of whether the domain name of such third party was really authorised by your bank to accept your PII — great way to teach folks to provide PII to random vendors you&#x27;ve never ever heard of (but, look, the page has your bank&#x27;s logo, of course it&#x27;s legit!), not to mention that it was all implemented in frames (possibly on purpose to conceal the domain name of the shady vendor your bank chose), and with a plentiful of pop-up windows with a hidden URL bar at that, too (of course! So 2000s!).<p>Basically, a really great and secure standard compared to just the static credit card number you share with each vendor, but, of course, totally ruined by the actual implementations, in the US, at least.<p>To my knowledge, no single US retailer or bank uses it anymore (IIRC, Newegg and ZipZoomfly did used to possibly require it back in the day). A couple of years ago, I asked Capital One why my online transaction in Russia wasn&#x27;t coming through — didn&#x27;t even reach the usual 3D Secure stage, and they claimed that they haven&#x27;t supported it for ages! (Of course, the infra is still all there, but now it just shows up to the user as a mere splash screen when shopping on foreign websites; still very popular in Russia with all the payment gateways.)<p>Basically, the tech is really useful for reasonable authentication, but suffered the same fate as the Chip in the States back in 2000s (ironically, Target was one of the first vendors to use it in early 2000s). Now if your purchase is declined or you&#x27;re a new customer with a big discount warehouse like Provantage, you just have to call them offline and verify your identity manually; how smart!