From April 13 SC Magazine UK (Revised from their earlier April 11 story): Worldpay’s Gateway

by Raymond Pucci 0

We recently commented on an April 11, 2016 article in SC Magazine UK which stated that Worldpay’s electronic payment gateway setup pages had potential operational vulnerabilities on credit card details, according to a security researcher. SC Magazine UK updated the story on April 13 to add that the vulnerability was reported on January 27, 2015, and successfully patched by Worldpay within 48 hours. A second flaw was reported in April, 2015, and successfully patched the next day.

Worldpay confirms that there has been no data breach and customer data on Worldpay’s payment processing systems remain secure. The SC Magazine UK revisions are as follows, and the complete revised article is available on the link below:

Technology industry watchers have castigated payments processing service Worldpay for potential operational vulnerabilities. Worldpay is billed as a secure payment gateway for businesses that incorporates the worlds of online payments, card machines and telephone payments.

The firm itself proposes that it delivers a secure proprietary technology platform to enable ‘merchants’ to accept a vast array of payment types, across multiple channels, anywhere in the world.

It is precisely the Worldpay Merchant Portal that Randy Westergren has a problem with. As a senior software developer at XDA Developers, Westergren claims he has found “multiple vulnerabilities” in the Worldpay Merchant Portal. He further states that this is not the first time he has uncovered compliance issues with this kind of payment gateway technology.

“One, an attacker can designate his own postback URL, meaning that after a transaction occurs on the merchant’s site, Worldpay’s server would post the results/details of that transaction to the attacker’s server, including the customer’s name, billing address, phone numbers, email addresses and raw information of the transaction,” he said, referring to a flaw that he reported to Worldpay last year. He reported the problem on 27 January 2015 and it was patched within 48 hours, he says.

“The other danger is that the attacker can control the form’s HTML, meaning it could be used to attack the user client-side (e.g. XSS, clickjacking, phishing),” he said. This flaw was reported in April 2015 and patched the next day.

Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group

Read the full story here