Greek developers have, according to information reported to the SecNews editorial team, managed to identify a weakness in managing the Paysafe API. Specifically SoccerBot developers (software that helps bettors to quickly find potential football matches according to their creators) has identified weakness in Paysafe API.
The programmers of Soccerbot-Team, Kondor and Zerocode or + Serializer +, according to what says Zerocode in his communication with editor of SecNews, created the Proof of Concept of Inability. As they explain, the weakness is not in the API but in the exploitation of a Paysafe unprotected point that enables the creation of code that acts as an "authorized" API.
The discovery of weakness was made by accident. The application originally supported Paypal only when due to increased demand from usersthe Soccerbot application developers considered it important to support Paysafe. In the process of doing so, the developers Kondor and Zerocode or + Serializer + identified the weakness and immediately informed the company as they ought.
For this purpose they created Python script (shown in the video below) named paysafe_cracked_api.py. The proof code was created on the local server, as the developers' goal was not to profit but to inform the company of the weakness.
The Script during the communication makes sure there are transaction requests. If there is a collection of data and it is linked to an unprotected part of Paysafeautomatically as reported by Zerocode) to deposit the amount into an account corresponding to a bank card.
Watch the full video with the developers process as they released it:
Asked by the editor of SecNews about the company's reaction, our developers reported that they tried to get in touch with her earlier, which did not make it possible from the company side, who showed an uninteresting attitude to analyze the specific problem identified by developers and to resolve them. According to developers, repair is very easy.
It is possible for a malicious user to use this methodology for payments to his / her interest websites without any authorization from Paysafe. Combined with the use of Botnet with the necessary configuration of the python script, it would be possible to test paysafe cards with a test per second.
In fact, they are concerned that such a big company has made such an important mistake, which can lead to losses, according to the developers / researchers.
SecNews was unable to evaluate the finding, as we do not have access to the source code of the python script that developers created.[alert] But we appreciate that the company must communicate DIRECTLY with developers so that it is accurately informed and made an assessment as it knows its systems and how they can be affected by the use of the unauthorized API. [/ alert]
A typical example of the intentions of developers, as indeed says Zerocode is:[blockquote] We will continue to keep our ethos at a high level and use our knowledge for a good purpose either rewarding for it or not ...
Sincerely Soccerbot-Team [/ blockquote]
SecNews thanks Soccer-bot developers for timely and valid update