Of World of Tanks Payment Security

Source: http://habrahabr.ru/post/228219/ (via world-of-ru, LJ user Wisejew)

An interesting article appeared on the abovelinked portal about World of Tanks payment security. In it, a Russian programmer of payment portals takes a look at the security of various paying portals, including – yes, you guessed right, the Wargaming premium shop. The author states that he analyzes weaknesses of various payment systems and runs over and over again into the same vulnerability, called… and now, I have no idea how to translate it, because I am not a programmer. In Russian it’s “инкрементальные айдишники” – in English, it would be something like… incremental ID’s? If there is a programmer amongst the readers, please explain to us what that means :)

Anyway, back to World of Tanks portal. After making an order, the client redirects the user to an URL in following format:

http://aggregator-domain/ok.php?payment_id=123456

Which in turn redirects the client to the URL of the game in following format (decoded by the author for easier reading, from Russian server eg. the currency is Russian):

https://online-game-domain/shop/?…amount=32.86…&currency=RUB…&user=user_email@gmail.com…&item_name=1 day of premium account

The author states that if you figure out the value of the payment_id parameter, you will be able to see login of the user in the game, their purchases etc.

3ca0b32197242641c28465af7ad6b310

Wargaming shop is just one of the examples, cited by the author. He concludes the post with a statement that due to sloppiness of programmers, in the case above, a possibility is introduced for hackers to mine personal and account data from the purchases. He also comments on the solution (to use something called “token” and “an arbitrary string”). From there on (especially the comments) it gets technical. I wonder though – how much are our data really protected and since Wargaming already had some large account data leaks (remember that “change your password for gold” event? That wasn’t just because Wargaming is nice and cares about our security, it was because on RU server, a certain amount of account data got leaked (and the accounts got hacked)).

18 thoughts on “Of World of Tanks Payment Security

  1. incremental ID’s

    Should be exactly that – and in this case it’s bad because you can guess the previous/next in line and try to tamper with the system.

    Typical example would be a delete/edit operation with incremental ID and you could try if the system is secure enough to check for privileges during the operation itself, not only when showing you the edit/delete link :)

    A better solution is to use some sort of hash/whatever that is not easily guessed, something like id=Ax74qFggs47C – good luck finding another working ones :)

    • So, basically, if anyone… I don’t know, bruteforced the links with incremental ID’s, he could potentially mine all sort of payment data, including logins and such?

      • Well, yeah – basically that.

        Edit: by iterating over all existing IDs you could easily build a nice database of emails and how much each user spent on the game and so on.

      • Позвольте легкий оффтоп. Сайлентсталкер, я правильно понимаю, что русский для вас родной?

      • Hey SS, I think the gold reward for changing password was about so called Heartbleed, vunerability that widely affected systems around the world. It was a vunerability in OpenSSL TSL-protocol that allowed cracker to read data from some buffers. WG updated their OpenSSL version so vunerability should exist no more. BUT: they really coulnd’t be sure if some passwords were leaked earlier, so they wanted everybody to change their passwords.

        • Well, the first time they had the “Change password for gold” event it was afaik WG’s fault.

          The one you mention was the second (I think) event and imho you are right, it was because of Heartbleed.

  2. The incremental ID or simply the ID is a unique number given to each element (row) in a data set (database table). It serves as a unique identifier. It is usually a simple integer (in 99% of the cases) which is auto-generated by the database system (SQL Server, Oracle, etc..) and incremented by an already defined step (default by 1). The rest of the data in the same row represent all the information related to that specific id (in this case all the payment details assigned with that specific payment ID).

    The ID can be used as a reference by other database tables (which is why the author mentioned you can have a look at the payment history if you get hold of the player login which is obviously used as a reference for all payments he made, of course through the login id)

    • I think the flow of purchase is something like: purchase complete -> go to aggregator-domain -> redirect back to shop page (with user info). Because aggregator-domain use purchase_id to generate redirect link, if you have format of purchase_id you can craw back to get info of other account.

  3. An auto-increment of an ID is not the risk itself.

    You can make a payment and you have your ID, so you can be sure, the next payment from anyone has your ID+1 to identify his payment.

    However, now you only have a ID you can work with. Saying you can read any data with that is not proofen. Normally you can query the server with that ID, the Server checks your authentication and gives you the reply.

    The auth has to be known, to get some data.

    The ID just gives you the first parameter. Normally you hide this ID or use a token (randomly generated number while the payment checkout) together with the ID.
    In that case, you can check the ID and the token, before you have to check the auth-informations.

    Saying I can query the server just with an ID and get informations is quite senseless… or WG did a real fail on their security…

  4. token is a physical device for computer authentication, basically a small plastic object with part of the login code