Vendors relying on Mastercard’s Internet Gateway Service (MIGS) for processing online payments ought to double-check every transaction before they send out items to customers: There is a critical flaw in the system’s validation protocol and it appears the company is completely ignoring it.
Independent security researcher Yohanes Nugroho has stumbled upon a glaring flaw in the MIGS protocol that allows hackers to spoof the payment system and trick merchants into accepting invalid transactions as successful – without even knowing.
“It can be said that this is a MIGS client bug, but the hashing method chosen by Mastercard allows this to happen,” the researcher explains. “Had the value been encoded, this bug will not be possible.”
According to Nugroho’s findings, crafty attackers can exploit this shortcoming to inject invalid values in third-party intermediate payment services to bypass Mastercard’s system altogether and relay the request straight to vendors.
As the researcher observed, “instead of validating inputs on the merchants server side before sending it to MIGS,” the requests are only checked on the client side. Since this data never reaches Mastercard’s servers, it remains susceptible to spoofing.
This means that, if successful, hackers would be able to pass on invalid payment transactions as absolutely legitimate proof of payment. While merchants will still have to confirm the transaction, most users rarely ever check their bank accounts before approving the requests – which is exactly why this loophole is so worrisome.
Nugroho has been able to confirm that at least one payment gateway – Fusion Payments, a company valued at $20 million – was susceptible to this attack.
Fusion Payments has since rewarded the researcher with a $500 bug bounty. They have also already implemented a filtering measure to prevent attackers from exploiting this hole.
This is what Nugroho said about Fusion’s implementation of MIGS:
Initially, they (Fusion) didn’t even check the signature from MIGS. That means we can just alter the data returned by MIGS and mark the transaction as successful. This just means changing a single character from F (false) to 0 (success[ful]).
So basically we can just enter any credit card number, got a failed response from MIGS, change it, and suddenly payment is successful. After they fixed the bug, I discovered that they are vulnerable to the Mastercard hashing bug.
Redditors claim that hackers are already exploiting the vulnerability in India, where MIGS is relatively wide-used, but we haven’t been able to confirm this is indeed the case.
What is particularly worrying though is that the vulnerability can be exploited on practically any system reliant on MIGS, not just Fusion Payments. Still, Mastercard continues to ignore Nugroho’s warnings.
The researcher, who has previously reported and been rewarded $8,500 for finding a similar bug in the MIGS system, told TNW he reported the bug to Mastercard on August 17, but its representatives are yet to acknowledge the flaw. That is despite the fact that his password-protected disclosure post has been accessed by company employees at least three times so far.
In addition to his bug report, he also emailed some of the Mastercard security officers that processed his previous disclosure. He never heard back from them either.
We have contacted Mastercard for more details and will update this post accordingly should we hear back.
Meanwhile, vendors, better stay on your toes – some seemingly valid payment requests might not be all that legitimate after all.
Update: Mastercard’s Senior Vice President of External Communications, Seth Eisen, had this to say:
We are aware of and have looked into the claims made by this researcher. While this specific claim has does not exist within our system, we have identified a potential for a misconfiguration on merchants’ sites that could potentially affect how data is delivered. We are providing specific training and resources to the small number of merchants who could be impacted to minimize any exploitation of such an action.