Something for nothing

E-commerce security flaw found in WooCommerce extension NAB Transact

Online retailers who use the WooCommerce extension NAB Transact have been urged to update their systems after the discovery of a critical payment bypass flaw.

By exploiting a vulnerability in the NAB Transact payment gateway, an attacker could potentially dupe vendors into believing unpaid orders have been fully settled.

Miscreants can do so, when prompted to enter payment details, by issuing a GET request to the vendor’s site that incorporates the order number and code, along with a bogus transaction number, according to the researcher who discovered the security flaw.

An attacker could still exploit the vulnerability even if the order details fail to appear during the order workflow, said Jack Misiura, application security consultant at The Missing Link, an Australian IT services firm.

All they have to do is “submit invalid payment information and get a declined message”, then “brute-force the order number which is sequential”, he explained. “Doing so will mark any existing pending orders as fully paid.”

This exploit works because the vulnerable version of NAB Transact fails to validate origin-of-payment-processor status requests, Misiura revealed on the Full Disclosure security mailing list on August 20.

‘No indication of compromise’

“The scary thing is [that] when we were doing the test, we noticed there was no indication of compromise,” Misiura tells The Daily Swig.

This means attackers can “order as much inventory as they desire, mark it as fully paid and have it delivered somewhere”, until such time that a user checked their bank accounts and noted the payment was never made.

“I’d imagine attackers could make smaller transactions here and there and not get caught for sites with lots of traffic,” the researcher added.

READ MORE Denial-of-Wallet attacks: How to protect against costly exploits targeting serverless setups

Provided by National Australia Bank, the country’s largest business bank, the NAB Transact WooCommerce extension allows ecommerce vendors to process all major debit and credit cards within their website.

The plugin is integrated with the Direct Post API and its other features include refunds, risk management, 3D Secure, and pre-authorization.

WooCommerce, an open source ecommerce platform built on WordPress, is used by more than five million websites.

No workarounds

The security vulnerability (CVE-2020-11497) is present in NAB Transact 2.1.0 and was fixed in version 2.1.2.

Misiura notified the developer of the bug on March 27. A patch was issued eight days later, on April 4.

The researcher said no workarounds have been found that protect any vendors that are unable to apply the update.

One mitigation suggested by the plugin developer – “to switch integration from direct post to XML API, which carries PCI/DSS compliance risk” – turned out to be “ineffective”.

The Daily Swig has put additional questions to the developer of NAB Transact and will update the article if and when we hear back.

RECOMMENDED WordPress 5.5 rolls out with auto-updates for plugins