Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Hazarth95193yDropping the token lifetime isn't the solution, how did it leak in the first place? MitM I hope? In Which case there's not much you can do with it. If the network is compromised then even 5 second token is a threat, just more spaced out, but not by much
Why is the card returned before payment?! That's your real issue...
The other is obviously the network, not https? Or what? -
@Hazarth https.
The gift card returns before the transaction completes bc that thing that managers love: priority shifting. They said they knew, but other things always where more important (in 3 years of existence).
If they're inside the network? We don't know. Their API is a black box, I can't run it locally and deploys to dev environment are made by hand by one of their "IT" guys. The same happens with their infrastructure, no logs, no monitoring...
It may have leaked by: People running a scam and agreeing to receive some money for giving their credentials or the attacker has access to the database -
Hazarth95193y@ChristoPy couldn't it also be a normal user using a valid token of theirs but just using a script to ram the server for fun? Could you get multiple cards if you do it fast enough?
Related Rants
Follow up to: https://devrant.com/rants/5047721/....
1- The attacker just copy pasted its JWT session token and jammed requests on the buy gift cards route
2- The endpoint returns the gift card to continue the payment process, but the gift card is already valid
3- Clients wants only to force passwords to have strong combinations
4- Talk about a FIREWALL? Only next month
5- Reduce the token expiration from 3 HOURS to 10 minutes? Implement strong passwords first
6- And then start using refresh tokens
BONUS: Clearly someone from inside that worked for them, the API and database password are the same for years. And the route isn't used directly by the application, although it exists and has rules that the attacker kows. And multiple accounts from legit users are being used, so the person clearly has access to some internal shit
rant
client
attack
dumb