Someone asked me what I knew about the payment provider ‘Payeer’ as an alternative to Paypal, this prompted me to do a small bit of research and check them out. One thing that caught my eye was a feature on the marketing front page of payeer.com that appeared to be leaking real-time customer transaction details because of badly implemented redaction.
Hit ‘Read More‘ for full the full article
On the front page of payeer.com was a neat ‘Payeer statistics’ grid that displayed real-time customer transactions, since these were real transactions happening right now you could see a redacted version of the customers email address along with the address of who they were paying and the amount of the transaction (checkout the image below), new transactions were flying by each second and you really got a feel for the amount of transactions that Payeer has to handle.
Curious if these were in fact real customer transactions I inspected the source to find that these transactions were being pushed to the marketing page through a web-socket directly from a Payeer API, what follows is an example of messages coming through from the WebSocket.
Though you can only see four messages in the data above I was sitting in front of hundreds of these messages and an issue became clear; the redacted email addresses were redacted in a nondeterministic fashion so when a payment took place with the same address a different part of that address was hidden each time, eventually leaking the entire address.
I tested this on a few addresses and sure enough, I was able to reveal them, generally it only took six messages to be able to unmask an entire transaction.
After spending some time trying to find a technical contact for Payeer I was able to report the issue, although they noted that they did not consider this a critical issue they did fix it within 48 hours from my initial report and pay a small bounty for finding the issue.