{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/payment-data-leak/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","authentication-bypass","payment-data-leak"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, a video sharing platform, contains a critical vulnerability affecting multiple payment plugins. The vulnerability stems from the lack of authentication checks on \u003ccode\u003elist.json.php\u003c/code\u003e endpoints, which expose sensitive payment transaction data. This oversight allows unauthenticated attackers to retrieve payment records from PayPal, Authorize.Net, and Bitcoin payment providers. The issue mirrors a previously patched vulnerability in the Scheduler plugin (GHSA-j724-5c6c-68g5) but was not consistently applied across all affected endpoints. A total of 21 \u003ccode\u003elist.json.php\u003c/code\u003e endpoints remain vulnerable. The affected version is \u0026lt;= 26.0. This vulnerability poses a significant threat to AVideo users, potentially leading to financial data theft and unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable AVideo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GET request to a vulnerable \u003ccode\u003elist.json.php\u003c/code\u003e endpoint, such as \u003ccode\u003eplugin/PayPalYPT/View/PayPalYPT_log/list.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo server processes the request without authentication and executes the associated PHP script.\u003c/li\u003e\n\u003cli\u003eThe script queries the database, retrieving all records from the corresponding table (e.g., \u003ccode\u003ePayPalYPT_log\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns a JSON-encoded response containing the retrieved data, including sensitive payment information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to extract PayPal agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, or Bitcoin transaction details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted tokens or payment information for malicious purposes, such as payment manipulation or account correlation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to significant data exposure. Attackers can retrieve all payment transaction records across PayPal, Authorize.Net, and Bitcoin payment providers. This includes sensitive data such as PayPal Express Checkout tokens and billing agreement IDs, potentially enabling payment manipulation or account correlation. Transaction records contain user ID mappings, payment amounts, and full API responses that may include payer email addresses and names. The scope is broad, affecting 21 \u003ccode\u003elist.json.php\u003c/code\u003e endpoints, also exposing live streaming server infrastructure and user connection data. No authentication or user interaction is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided code snippet to all unprotected \u003ccode\u003elist.json.php\u003c/code\u003e endpoints to enforce authentication checks using \u003ccode\u003eUser::isAdmin()\u003c/code\u003e as detailed in the advisory's recommended fix.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003elist.json.php\u003c/code\u003e endpoints located within AVideo plugin directories using the rule \u003ccode\u003eAVideo Unauthenticated Access to list.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for sensitive data being transmitted in cleartext from the vulnerable endpoints, such as PayPal tokens, using the rule \u003ccode\u003eAVideo Sensitive Data Exposure via Unauthenticated Endpoint\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/","summary":"AVideo is vulnerable to unauthenticated access to multiple `list.json.php` endpoints due to missing authorization checks, allowing attackers to retrieve sensitive payment transaction records, including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin payment records, leading to financial data exposure and potential PII leakage.","title":"AVideo Unauthenticated Access to Payment Log DataTables Endpoints","url":"https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Payment-Data-Leak","version":"https://jsonfeed.org/version/1.1"}