Sumup: Information disclosure through receipts ===================================== * Affected system: Backend of Sumup Payments Ltd. * Released: 2019-03-13 * ID: CIPH-2018-101501 Summary ===================================== This advisory announces two security vulnerabilities in the backend system of Sumup Payments Ltd. For every transaction over Sumup (like the payment of a cup of coffee) a Transaction ID (TID) is generated and the Merchant ID (MID) of the seller is assigned. The receipt for this transaction can later be accessed by the customer over a custom link, which contains the TID and MID. Under some circumstances it is possible to access receipts without the knowledge of the MID. Also the entropy of the TID is not high enough, making it possible to access random receipts which leads to disclosure of sensitive data. Affected users ===================================== Every seller and customer who uses or used Sumup as payment method is potentially affected. Finding 1: Logic Error ===================================== Under normal circumstances a receipt can be only accessed using a valid tuple of TID and MID. During our research we found out that some of the receipts can be accessed without knowledge of the corresponding MID. Any valid MID is enough then. We suspect, that this bug happens when a Merchant account enters a for us unknown state, maybe after the account is suspended or deleted. Therefore, only receipts generated by these "broken" Merchant accounts can be accessed without knowledge of the actual MID, while others require the correct tuple of TID and MID. * Type: Disclosure of sensitive data * Access Vector: Remote * Authentication: None * Complexity: Low * CVSSv3: 5.6 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:R/CR:M/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:L Finding 2: Low Entropy TIDs ===================================== A TID consists of a "T" and 9 uppercase alpha-numeric characters, resulting in approx. 1.02e+14 possible combinations. Having a set of known-valid TIDs, it is possible to find common patterns indicating low entropy of TIDs and therefore increase the chance of guessing other valid TIDs. * Type: Disclosure of sensitive data * Access Vector: Remote * Authentication: None * Complexity: Moderate * CVSSv3: 5.6 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:R/CR:M/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:L Impact ===================================== In combination with the insufficient rate limiting of the backend API, the vulnerabilities can be used to collect sensitive data from random receipts without any authentication. Finding and accessing all (or many) receipts of a specific seller is possible but time consuming. Searching for all receipts of a specific customer is not feasible in acceptable time. Timeline ===================================== 2018-10-15 Start of research 2018-10-25 Found vulnerabilities in backend 2018-10-26 Abuse notification from vendor 2018-10-26 Verified findings 2018-10-26 Attempt to establish secure communication channel with vendor 2018-11-02 Trying to contact vendor via partner companies 2018-11-02 Informed Niedersachsen-CERT 2018-11-22 Forward from Niedersachsen-CERT to CERT-BUND 2018-11-23 Verification by CERT-BUND 2018-12-03 Further timeline pinned with CERT-BUND 2019-01-09 Teleconference with CERT-BUND and Vendor Discussed vulnerabilities with Sumup Disclosure timeline established - upcoming fix confirmed. 2019-01-10 Vendor verifies vulnerabilities. Fixes proposed to 2019-01-19 2019-01-18 Vendor confirms fixes (not verfied) 2019-03-05 Ciphron confirms fixes 2019-03-13 Advisory released Disclosure Policy ===================================== See: (german) https://www.ciphron.de/vulnerability-disclosure-policy About CIPHRON ===================================== The CIPHRON GmbH was founded in 2003 and is a consultancy for information and cyber security with its central office in Hannover, Germany. As a consultancy for information and cyber security, CIPHRON does penetration tests, code reviews and individual research about security topics. More information are available at https://www.ciphron.de Contact ===================================== Ciphron GmbH Kriegerstrasse 44 30161 Hannover Germany