Vulnerabilities in Plategka.com Service Including XSS

    I am interested in payment services, banks, plastic cards, and indeed I follow e-commerce. And I also like to find errors and vulnerabilities in Internet banking systems, payment terminals or in online transfer systems .

    Not so long ago, one Ukrainian online payment service - Plategka.com - launched a function: creating a link with a unique address and a QR code to receive a transfer to a card.

    As soon as I wanted to check how the new service works, I saw the same error that Portmone made: the link shows the full card number. Going through the links, you can collect map numbers. "Initially, we thought about hiding the card number, but there are pros and cons in this matter, so at the first stage, in order for the Payer to be able to verify the correctness of the entered data, they decided to leave it, "they write to the user .

    image

    But the fact of having a full number the card is compounded by the fact that for the convenience of the payer the surname and name of the recipient is indicated.Total

    : you can collect the full numbers + name of the cardholders ( I just indicated the first letters of the Latin alphabet ).

    I immediately reported this mistake to the company, they corrected the display full card number quickly enough and even thanked me with the amount of ... 200 hryvnia ($ 8.5). Well ...

    After a couple of days, finding free time, I went to the site again. And, since at the time of registration I initially indicated in the fields "last name" and "first name" not quite correct data, this time I decided to see if it is possible to indicate two words in these fields.

    image
    (phone number is not mine)


    We managed to indicate two words.

    image


    It was possible to specify and more.

    image


    It turned out the following:

    image

    But what if you add line breaks
    - I forgot that this is a payment service and such code should not be executed.
    However, the developers also forgot to take this into account - the system accepted and “correctly” displayed both line breaks and font color changes:

    image

    With this form, scammers can collect money from gullible users for a long time. Especially if you ask a psychologically correct text. By the way, the service makes it possible to "book" the link address. Naturally, I tried and created links of the form:

    www.plategka.com/gateway/pay2meadmin /
    www.plategka.com/gateway/pay2melogin /
    www.plategka.com/gateway/pay2metest /

    and others.

    Spoiler
    Now my links with the description “The link owner’s account is blocked” are inactive, but this is not due to the actions of “Payment”, but because during the check I deleted one account and created another, and the system does not allow the new user to create a link with a free word . Those. the old link cannot be deleted / changed, a new one cannot be created either.

    Well, I could not help but try to insert into any field.

    image

    And, unfortunately, the service and my happiness, the code was executed:

    image

    Hmm, the matter was not limited to HTML-code, then XSS.

    I sent a message to the company, indicating that these errors are more serious than the previous ones. I was thanked and I received a reward. Remuneration, attention, in the amount of ... again 200 (!) Hryvnia!

    I understand that not all companies allow payments for found vulnerabilities, but
    eight and a half dollars for XSS ?

    Also popular now: