Flaws in Worldpay’s Merchant Portal Allow Attackers to Modify Payment Forms
Catalin Cimpanu reports:
Vulnerabilities known as IODR (Insecure Direct Object References) were found and fixed in Worldpay, an online secure payments platform, security researcher Randy Westergren reports.
An IODR vulnerability is when users have access to information they should not see, either because it belongs to another user or originates from an account with higher privileges.
In 2013, the OWASP project classified IODR flaws as the fourth most prevalent and dangerous vulnerabilities around, mainly because they’re incredibly easy to exploit and often expose a trove of information at once.
Read more on Softpedia.
Note Randy’s question at the end of his report:
The larger question remains: how are these vulnerabilities being introduced (and not identified/patched) into a company’s software, whose entire business is working with some of the most sensitive user data in existence? Unfortunately, this is yet another example of the general failure of compliance, security seals, and auditing policies, resulting in critical software vulnerabilities that routine penetration testing should have identified.