Flaw in payment system makes shopping free at web shops
The flawed processing of payment transactions in some web shops can allow goods to be purchased without payment. Web shops based on either of two open source shop systems – osCommerce and xt:commerce – are vulnerable when used in combination with 1&1's ipayment service to handle credit cards. The data sent back by ipayment concerning the success or failure of a transaction are not always correctly analysed; as a result, attackers may only need to call a static URL to make the shop think that payment has been made.
It is not yet clear how many shops are affected. It is estimated that the two shop systems make up some 25 per cent of the market, with xt:commerce reportedly running on some 100,000 servers worldwide. Patches have been released both for osCommerce and xt:commerce to remedy the flaw. Users of xt:commerce are being informed of the problem by newsletter. ipayment says it will write to ipayment retailers who use these shop systems by the end of the day.
The patch also means that the shops now comply with the requirements of banks that issue credit cards. Up to now, though they have claimed the opposite, the shops have indeed been processing credit card data even though they are prohibited from doing so by the PCI DSS standard – which is why they have to resort to external payment service providers such as ipayment in the first place.
- Ipayment for osCommerce Online Merchant v2.2, patch for osCommerce.
- ipayment patch for xt:commerce 3.0.4 Sp2.1, download at x-tcommerce.info.