<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Payment-Data-Leak - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/payment-data-leak/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/payment-data-leak/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo Unauthenticated Access to Payment Log DataTables Endpoints</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/</guid><description>AVideo is vulnerable to unauthenticated access to multiple `list.json.php` endpoints due to missing authorization checks, allowing attackers to retrieve sensitive payment transaction records, including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin payment records, leading to financial data exposure and potential PII leakage.</description><content:encoded><![CDATA[<p>AVideo, a video sharing platform, contains a critical vulnerability affecting multiple payment plugins. The vulnerability stems from the lack of authentication checks on <code>list.json.php</code> endpoints, which expose sensitive payment transaction data. This oversight allows unauthenticated attackers to retrieve payment records from PayPal, Authorize.Net, and Bitcoin payment providers. The issue mirrors a previously patched vulnerability in the Scheduler plugin (GHSA-j724-5c6c-68g5) but was not consistently applied across all affected endpoints. A total of 21 <code>list.json.php</code> endpoints remain vulnerable. The affected version is &lt;= 26.0. This vulnerability poses a significant threat to AVideo users, potentially leading to financial data theft and unauthorized access to sensitive information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a vulnerable AVideo instance.</li>
<li>The attacker crafts a GET request to a vulnerable <code>list.json.php</code> endpoint, such as <code>plugin/PayPalYPT/View/PayPalYPT_log/list.json.php</code>.</li>
<li>The AVideo server processes the request without authentication and executes the associated PHP script.</li>
<li>The script queries the database, retrieving all records from the corresponding table (e.g., <code>PayPalYPT_log</code>).</li>
<li>The server returns a JSON-encoded response containing the retrieved data, including sensitive payment information.</li>
<li>The attacker parses the JSON response to extract PayPal agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, or Bitcoin transaction details.</li>
<li>The attacker uses the extracted tokens or payment information for malicious purposes, such as payment manipulation or account correlation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to significant data exposure. Attackers can retrieve all payment transaction records across PayPal, Authorize.Net, and Bitcoin payment providers. This includes sensitive data such as PayPal Express Checkout tokens and billing agreement IDs, potentially enabling payment manipulation or account correlation. Transaction records contain user ID mappings, payment amounts, and full API responses that may include payer email addresses and names. The scope is broad, affecting 21 <code>list.json.php</code> endpoints, also exposing live streaming server infrastructure and user connection data. No authentication or user interaction is required.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the provided code snippet to all unprotected <code>list.json.php</code> endpoints to enforce authentication checks using <code>User::isAdmin()</code> as detailed in the advisory's recommended fix.</li>
<li>Monitor web server access logs for requests to <code>list.json.php</code> endpoints located within AVideo plugin directories using the rule <code>AVideo Unauthenticated Access to list.json.php</code>.</li>
<li>Inspect network traffic for sensitive data being transmitted in cleartext from the vulnerable endpoints, such as PayPal tokens, using the rule <code>AVideo Sensitive Data Exposure via Unauthenticated Endpoint</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>authentication-bypass</category><category>payment-data-leak</category></item></channel></rss>