Ecommerce Systempay Weak Cryptographic Implementation Vulnerability Allowing Production Key Brute Force

A vulnerability exists in Ecommerce Systempay version 1.0 due to a weak cryptographic implementation. This flaw allows attackers to brute force the 16-character production secret key used for generating payment signatures. By extracting payment form data and signatures from POST requests to the payment endpoint, attackers can use SHA1 hash comparisons to iteratively test key candidates until the correct production key is found. Successfully obtaining this key enables the forgery of valid payment signatures and manipulation of transaction amounts.

Impact

Exploitation of this vulnerability allows for brute forcing of the production secret key, which can then be used to forge payment signatures and manipulate transaction amounts.

Reproduction

To reproduce this vulnerability, first identify an ecommerce site using Systempay version 1.0 that employs SHA1 for signature cryptography. Add products to the cart and select Systempay as the payment method. Once the payment form is submitted, capture the POST request data sent to the payment endpoint, including the signature and all vads fields. Use this information to brute force the production key by testing key candidates against the SHA1 hash of the original signature.