Banning links from embedded browsers for security reasons
infosec

Banning links from embedded browsers for security reasons

Google has decided to ban the logins from embedded browsers since June of 2019. Why did he ...
Read More
infosec

Malicious AutoHotkey Scripts infect systems for spyware purposes

A new threat appears to have occurred, in which malicious hackers use AutoHotkey scripts to ...
Read More
inet infosec

PS5 details: Is there a risk that hackers will exploit them?

Sony's game developer and creator, Mark Cerny, gave some details about the new PS5 console. In one...
Read More
infosec

Cisco warns of vulnerabilities in 9000 series routers

Cisco has released 31 security tips this week, but has focused users on "critical" patches for ...
Read More
infosec

HP: Adds the Sure Sense malware blocker to its new devices

HP announced a series of updates and new features for PCs, as well as the official HP release ...
Read More
Latest Posts

[EXCLUSIVE] Developers detected a weakness in the Paysafe API!

paysafecard1

Greek developers have, according to information reported to the SecNews editorial team, managed to identify a weakness in managing the Paysafe API. Specifically SoccerBot developers (software that helps bettors to quickly find potential football matches according to their creators) has identified weakness in Paysafe API.

The programmers of Soccerbot-Team, Kondor and Zerocode or + Serializer +, according to what says Zerocode in his communication with editor of SecNews, created the Proof of Concept of Inability. As they explain, the weakness is not in the API but in the exploitation of a Paysafe unprotected point that enables the creation of code that acts as an "authorized" API.

The discovery of weakness was made by accident. The application originally supported Paypal only when due to increased demand from usersthe Soccerbot application developers considered it important to support Paysafe. In the process of doing so, the developers Kondor and Zerocode or + Serializer + identified the weakness and immediately informed the company as they ought.

soccerbot2

For this purpose they created Python script (shown in the video below) named paysafe_cracked_api.py. The proof code was created on the local server, as the developers' goal was not to profit but to inform the company of the weakness.

soccerbot1

The Script during the communication makes sure there are transaction requests. If there is a collection of data and it is linked to an unprotected part of Paysafeautomatically as reported by Zerocode) to deposit the amount into an account corresponding to a bank card.

Watch the full video with the developers process as they released it:

https://www.youtube.com/watch?v=3AZT5iLNRfA

Asked by the editor of SecNews about the company's reaction, our developers reported that they tried to get in touch with her earlier, which did not make it possible from the company side, who showed an uninteresting attitude to analyze the specific problem identified by developers and to resolve them. According to developers, repair is very easy.

paysafe2

It is possible for a malicious user to use this methodology for payments to his / her interest websites without any authorization from Paysafe. Combined with the use of Botnet with the necessary configuration of the python script, it would be possible to test paysafe cards with a test per second.

In fact, they are concerned that such a big company has made such an important mistake, which can lead to losses, according to the developers / researchers.

SecNews was unable to evaluate the finding, as we do not have access to the source code of the python script that developers created.

[alert] But we appreciate that the company must communicate DIRECTLY with developers so that it is accurately informed and made an assessment as it knows its systems and how they can be affected by the use of the unauthorized API. [/ alert]

A typical example of the intentions of developers, as indeed says Zerocode is:

[blockquote] We will continue to keep our ethos at a high level and use our knowledge for a good purpose either rewarding for it or not ...

Sincerely Soccerbot-Team [/ blockquote]

SecNews thanks Soccer-bot developers for timely and valid update

Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Comments

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *