Sumup: Information disclosure through receipts
=====================================

* Affected system: Backend of Sumup Payments Ltd.
* Released: 2019-03-13
* ID: CIPH-2018-101501


Summary
=====================================

This advisory announces two security vulnerabilities in the backend system
of Sumup Payments Ltd. For every transaction over Sumup (like the payment
of a cup of coffee) a Transaction ID (TID) is generated and the Merchant ID
(MID) of the seller is assigned. The receipt for this transaction can later
be accessed by the customer over a custom link, which contains the TID and
MID. Under some circumstances it is possible to access receipts without the
knowledge of the MID. Also the entropy of the TID is not high enough, making
it possible to access random receipts which leads to disclosure of sensitive
data.


Affected users
=====================================

Every seller and customer who uses or used Sumup as payment method is
potentially affected.


Finding 1: Logic Error
=====================================

Under normal circumstances a receipt can be only accessed using a valid tuple
of TID and MID. During our research we found out that some of the receipts can
be accessed without knowledge of the corresponding MID. Any valid MID is enough
then.

We suspect, that this bug happens when a Merchant account enters a for us
unknown state, maybe after the account is suspended or deleted. Therefore, only
receipts generated by these "broken" Merchant accounts can be accessed without
knowledge of the actual MID, while others require the correct tuple of TID and 
MID.

* Type: Disclosure of sensitive data
* Access Vector: Remote
* Authentication: None
* Complexity: Low
* CVSSv3: 5.6 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:R/CR:M/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:L


Finding 2: Low Entropy TIDs
=====================================

A TID consists of a "T" and 9 uppercase alpha-numeric characters, resulting in
approx. 1.02e+14 possible combinations. Having a set of known-valid TIDs, it is
possible to find common patterns indicating low entropy of TIDs and therefore
increase the chance of guessing other valid TIDs.

* Type: Disclosure of sensitive data
* Access Vector: Remote
* Authentication: None
* Complexity: Moderate
* CVSSv3: 5.6 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:R/CR:M/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:L


Impact
=====================================

In combination with the insufficient rate limiting of the backend API, the
vulnerabilities can be used to collect sensitive data from random receipts without
any authentication.

Finding and accessing all (or many) receipts of a specific seller is possible
but time consuming. Searching for all receipts of a specific customer is not
feasible in acceptable time.


Timeline
=====================================

2018-10-15 Start of research
2018-10-25 Found vulnerabilities in backend
2018-10-26 Abuse notification from vendor
2018-10-26 Verified findings
2018-10-26 Attempt to establish secure communication channel with vendor
2018-11-02 Trying to contact vendor via partner companies
2018-11-02 Informed Niedersachsen-CERT
2018-11-22 Forward from Niedersachsen-CERT to CERT-BUND
2018-11-23 Verification by CERT-BUND
2018-12-03 Further timeline pinned with CERT-BUND
2019-01-09 Teleconference with CERT-BUND and Vendor
           Discussed vulnerabilities with Sumup
           Disclosure timeline established - upcoming fix confirmed.
2019-01-10 Vendor verifies vulnerabilities. Fixes proposed to 2019-01-19
2019-01-18 Vendor confirms fixes (not verfied)
2019-03-05 Ciphron confirms fixes
2019-03-13 Advisory released


Disclosure Policy
=====================================

See: (german) https://www.ciphron.de/vulnerability-disclosure-policy

About CIPHRON
=====================================

The CIPHRON GmbH was founded in 2003 and is a consultancy for information and
cyber security with its central office in Hannover, Germany. As a consultancy
for information and cyber security, CIPHRON does penetration tests, code
reviews and individual research about security topics.

More information are available at
https://www.ciphron.de


Contact
=====================================

Ciphron GmbH
Kriegerstrasse 44
30161 Hannover
Germany