Vulnerabilities in Plategka.com Service Including XSS
I am interested in payment services, banks, plastic cards, and indeed I follow e-commerce. And I also like to find errors and vulnerabilities in Internet banking systems, payment terminals or in online transfer systems .
Not so long ago, one Ukrainian online payment service - Plategka.com - launched a function: creating a link with a unique address and a QR code to receive a transfer to a card.
As soon as I wanted to check how the new service works, I saw the same error that Portmone made: the link shows the full card number. Going through the links, you can collect map numbers. "Initially, we thought about hiding the card number, but there are pros and cons in this matter, so at the first stage, in order for the Payer to be able to verify the correctness of the entered data, they decided to leave it, "they write to the user .
But the fact of having a full number the card is compounded by the fact that for the convenience of the payer the surname and name of the recipient is indicated.Total
: you can collect the full numbers + name of the cardholders ( I just indicated the first letters of the Latin alphabet ).
I immediately reported this mistake to the company, they corrected the display full card number quickly enough and even thanked me with the amount of ... 200 hryvnia ($ 8.5). Well ...
After a couple of days, finding free time, I went to the site again. And, since at the time of registration I initially indicated in the fields "last name" and "first name" not quite correct data, this time I decided to see if it is possible to indicate two words in these fields.
(phone number is not mine)
We managed to indicate two words.
It was possible to specify and more.
It turned out the following:
But what if you add line breaks
However, the developers also forgot to take this into account - the system accepted and “correctly” displayed both line breaks and font color changes:
With this form, scammers can collect money from gullible users for a long time. Especially if you ask a psychologically correct text. By the way, the service makes it possible to "book" the link address. Naturally, I tried and created links of the form:
and others.
Well, I could not help but try to insert into any field.
And, unfortunately, the service and my happiness, the code was executed:
Hmm, the matter was not limited to HTML-code, then XSS.
I sent a message to the company, indicating that these errors are more serious than the previous ones. I was thanked and I received a reward. Remuneration, attention, in the amount of ... again 200 (!) Hryvnia!
I understand that not all companies allow payments for found vulnerabilities, but
eight and a half dollars for XSS ?
Not so long ago, one Ukrainian online payment service - Plategka.com - launched a function: creating a link with a unique address and a QR code to receive a transfer to a card.
As soon as I wanted to check how the new service works, I saw the same error that Portmone made: the link shows the full card number. Going through the links, you can collect map numbers. "Initially, we thought about hiding the card number, but there are pros and cons in this matter, so at the first stage, in order for the Payer to be able to verify the correctness of the entered data, they decided to leave it, "they write to the user .
But the fact of having a full number the card is compounded by the fact that for the convenience of the payer the surname and name of the recipient is indicated.Total
: you can collect the full numbers + name of the cardholders ( I just indicated the first letters of the Latin alphabet ).
I immediately reported this mistake to the company, they corrected the display full card number quickly enough and even thanked me with the amount of ... 200 hryvnia ($ 8.5). Well ...
After a couple of days, finding free time, I went to the site again. And, since at the time of registration I initially indicated in the fields "last name" and "first name" not quite correct data, this time I decided to see if it is possible to indicate two words in these fields.
(phone number is not mine)
We managed to indicate two words.
It was possible to specify and more.
It turned out the following:
But what if you add line breaks
- I forgot that this is a payment service and such code should not be executed. However, the developers also forgot to take this into account - the system accepted and “correctly” displayed both line breaks and font color changes:
With this form, scammers can collect money from gullible users for a long time. Especially if you ask a psychologically correct text. By the way, the service makes it possible to "book" the link address. Naturally, I tried and created links of the form:
www.plategka.com/gateway/pay2me
admin / www.plategka.com/gateway/pay2me
login / www.plategka.com/gateway/pay2me
test / and others.
Spoiler
Now my links with the description “The link owner’s account is blocked” are inactive, but this is not due to the actions of “Payment”, but because during the check I deleted one account and created another, and the system does not allow the new user to create a link with a free word . Those. the old link cannot be deleted / changed, a new one cannot be created either.
Well, I could not help but try to insert into any field.
And, unfortunately, the service and my happiness, the code was executed:
Hmm, the matter was not limited to HTML-code, then XSS.
I sent a message to the company, indicating that these errors are more serious than the previous ones. I was thanked and I received a reward. Remuneration, attention, in the amount of ... again 200 (!) Hryvnia!
I understand that not all companies allow payments for found vulnerabilities, but
eight and a half dollars for XSS ?