I noticed @fyrstikken had implemented the @steempayments WOO plugin! I immediately wanted to test out the workings, as I was curious if I could buy something with SBD directly!
So I wanted to buy some great products in his store with SBD. Because I was a little undecisive, I decided to go for all of the products:
In the end my bill totalled to $ 13,902 and I was a bit shocked. That's not the amount of SBD available on my account.
I picked SBD to checkout and then arriving on Steempay.io I tried to change the amount due to 0.01 SBD cent by simply altering the URL.
Then I paid that 0.01 SBD instead. You can see it in my transfers @roelandp/transfers
- And within minutes I was redirected to @fyrstikken's shop and got an order confirmation...
- And another minute later I found all licenses in my email inbox:
- I informed @fyrstikken of this flaw and advised him to disable the plugin. I think he did in the meantime
- He told me I should write a small whitehat research post to warn others to not install the plugin
- I have informed @steve-walschot about this serious exploit
*edit* did a little exploit hunting...
I've taken time to analyse the plugin code a bit further, curious to see how these woo_plugins actually work. Because there must be some kind of validation built inside the script right?
On https://www.diffchecker.com/P9WBXOUG you see the 'diff' between the original plugin ("the inspiration" #notinventedhere (on the left)) and the Steempay version (on the right).
In line 228 you see the following code:
$payload = array( "payid" => $_REQUEST['payid'], "receiver" => $this -> receiver_id, "amount" => "0", "currency" => "0" );
So this is the part where the 'verification' happens... The most important part of the payment code... Which answers the question 'did the transaction went well? and did the amount correspond to the amount which was needed to be paid?'.
If you analyse the parameters being send you see that both 'Amount' as well as 'currency' are a 'stringified' 0 being send to the SteemPayment server...
This means the verification is totally forgotten / not implemented:
- Crucial values are omitted and instead "0"'s are send.
- The validation is on the server side (on Steempay) also not even implemented... because if it was implemented it would error on my payment... Because my payment consisted of 'currency (SBD)' and the amount '0.01' which are definitely not the same as the "0" values being send to the server for a check.
* end edit *
So IMHO these vulnerabilities need to be fixed in order to get Steempay.io to the next level. I really love the idea to have SBD / Steem as an integrated payment option through plugins for Woo Commerce and other webshop platforms. I do understand this code is in beta, as was said in the announcement post: "the beta version is usually the last version before wide release, often tested by users under real-world conditions."
I hope we see an updated version of steempay woo commerce plugin without these exploits and full https support in the near future.
* update 2 *
- according to @steve-walschot the bug is fixed.
- however Github Zip releases is not updated.
- httpS is not implemented along the payment verification url if I see correctly
- I really want to review the
/WOO/verify.php
and urge others to do so too before implementing this plugin.
* update 3
- Github Zip release is now also updated.. Note on Github has a warning to "NOT USE IT IN PRODUCTION ENVIRONMENT". I think that warning should be mentioned on the original trending post too. And should have been mentioned from the beginning.
* update 4 *
- As this is not a SteemFest related post I won't push these rewards into @steemfest. Nevertheless I will push the SBD rewards of this post towards a good cause: I will give the SBD rewards of the posts towards this group of five people from Belarus: @celebr1ty/collect-sd-for-visit-to-steemfest-by-our-team-part-2-5 who are very much willing to come to Amsterdam SteemFest, providing that they actually come to Amsterdam :) Otherwise i'd be pleased to receive the monneys back...