 |
Ubercart |
|
|
|
||
|
Sat, 05/09/2009 - 19:06
 Yesterday, my Google Checkout was hacked. I lost about $1000. Someone was able to gain access to my site as an administrator. They then sent a .01 payment to me. They were then able to get into my Google Checkout and, as a funny joke, refunded about $1000. The hacker didn't gain anything but I am out $1000. I don't know how this person did it, but I need to let Ubercart and community know that people CAN gain access to your Google Checkout.
Re: Security Breach in Ubercart
I fail to see how this is a security problem with Ubercart, but thanks for the reminder. Obviously you should not hand out your GCO credentials to anyone, and I recommend following up with Google.
Re: Re: Security Breach in Ubercart
If you don't feel it's ubercart, please feel free to give your theories so that I and the rest of us won't have this issue again.    
Re: Re: Re: Security Breach in Ubercart
I guess the question is, how did they get access to your GCO credentials? Were they able to hack into your actual site, or your Google account? (I doubt it was Google that got hacked.) If they got into your site, how did they do that? Did they get root access? (If it's a dedicated server, make sure your root password is hard to crack; if it's a shared server, you might contact your tech people.) Did they hack into your database? If so, then the same reasons apply: make sure you only allow access for a specific db user that is for your instance of Drupal. If you are positive that your server and its database are secure, then perhaps there is a security exploit in a module you are using? If Contrib modules don't follow the documentation on writing secure code, then there are ways to trick your database into giving up secrets that can lead to a break-in. Always use the latest Drupal and Ubercart code (especially after a security update - those are extremely important) and you should always encrypt sensitive data with an SSL certificate, to prevent people from grabbing data from your transactions. There are other things you can do to harden your system, but those are the basics. 
your next steps ...
edj, before asserting that the security issue is Ubercart's fault, you need to establish why you believe this is so. You don't have to have complete proof, but you really ought to have good reason for your suspicions. From what you say, here's what you know:
(are there any other clues you mentioned that I missed?) So - some additional details you need to share with the community when reporting a situation like this:
(How to Report Bugs Effectively is worth reading.) Here are three quick scenarios which could have led to the same results - I'm making these up as examples, and it's ridiculously far from a complete list:
Oh, that was four examples, oops. Plenty more where that came from Now, you've just been exploited, and you're hurt by that - so it's tempting to place the blame. Very human - no-one can blame you for being that! But, knowing the above we can see that leaping to the conclusion that any particular piece of the puzzle is at fault is actually a risky thing to do, because it greatly reduces the chances of you correctly identifying the real attack vector. And as long as you don't have that information, your online account will remain insecure. Those of us in this forum feel your pain - we run shops too, and no-one wants to be stolen from. We're happy to help you dig deeper and identify the real problem, because if it does affect UC, it affects us all too. But making assumptions won't help us do that. So - what steps can you take, now that you're in the position that you are? Obviously, report the situation to Google, and see what information they can provide. The next thing I'd do in your case, seeing as you think the attack on your Google Checkout is related to Ubercart, would be to search through your webserver logs and identify if anyone visited the admin/store/* pages who wasn't coming from your usual IP address. That would tell you if someone had accessed your Ubercart interface and possibly retrieved your Google Checkout details. (This still might be because someone had your Drupal login through other means - but if there was a security flaw in UC, it might also reveal how they got into your system.) If that doesn't reveal anything, then perhaps you could ask the community for assistance in digging further. I'm sure you'll find people who are happy to assist, and the end result should be that you have a more secure server.
Re: your next steps ...
I realized that I hired someone a long time ago to fix some code. I gave them administrator rights. I forgot they had these rights. For some reason, this person must have logged into the Admin section of my site, sent a .01 payment and then somehow got the password to my google checkout account. I wish there wasn't a way for someone to get the login info by sending payment.
Re: Re: your next steps ...
I'm not sure how GCO works, but don't you need to include your Google API ID (or something similar)? In that case, it probably wouldn't be very hard for that coder to learn how to send refunds using a script or something.
I'm confused
If they got into your web site as administrator, then how did paying you .01 give the login priveleges to your Google account. The Drupal setup does not include your password for Google, so how did the payment give them the password? 
LS, As far as I can tell
LS, As far as I can tell from this post.... There is not a clue (yet) that the payment of .01 and the refund was done by the same person. Neither is their any proof at the moment it's a Drupal, Ubercart, server of personal security breach.... My advise at the moment is to save all your log files (drupal db, server logs and GCO logs) to secure possible evidence. I assume you will ask google and the authorities to investigate this... You will need your evidence then. Also it's not a bad idea to contact the Drupal Security Team at: http://drupal.org/contact My experience tells me there are a few leads in this case to investigate. Untill their is more information about what caused the breach I would suggest to change the topic of this thread into "Unauthorized refund from a GCO account", that way we keep the discussion in the clear, and don't point a finger to a possible wrong cause. Please keep us updated on this, because security in general, but e-commerce security in special, concerns us all. Best,
Re: LS, As far as I can tell
JustaGeek - Are you asking me those questions? If so, I'm not sure how this person did what he did. I do know that he sent a .01 payment and that night refunded around $800. VinceW - I've given all the information about this person to Google and here is their response: --------------------------------------------------- Thank you for your reply. This issue was escalated to me by Sharon, who After reviewing your account again, I can confirm that there appears to be In order to best protect your account from further unauthorized activity, Please note that in order to guarantee no further unauthorized access, We hope that you will continue to use Google Checkout for your business. If you have any further questions, please do no hesitate to contact us Sincerely, David I do know for a FACT who this person is as I worked closely with him for several years developing software. Long story short, he was hired to complete a job, it wasn't complete, so our company paid him for the work that was done. Apparently this person felt he needed to resort to felony activity. [moderated name out]. Absolutely disappointing to realize someone would resort to this level. I would like to continue this discussion to figure out how the hacking was done.
seems straightforward
* he had your login creds, therefore access to your API key via UC and an interface to make UC transactions * he used the UC interface to create a 0.01 transaction, then the UC interface or another script to refund the larger sum no software hack required (unless maybe UC limits the amount of the refund to the amount of the original transaction). edj, you've suggested a few times above that this was a fault in ubercart, but it seems that this was not the case ultimately - would you agree? EDIT: http://www.ubercart.org/forum/development/6171/credit_card_refunds < refund functionality started around 1.6 it seems? EDIT 2: please UC team, links to ubercart.org are not spam! tell mollom your own site is OK 
Re: seems straightforward
Google Checkout doesn't let you refund more than the original transaction amount. This is true of *all* the payment processors I have ever encountered. So I don't see how the reported incident could be possible unless someone got into your Google account and made a payment (not a refund) from your account. As Ubercart/Drupal doesn't have access to your Google account login/password (only your API credentials, which is a different thing), I don't see the connection between the incident and Ubercart/Drupal. Additionally, I don't understand your statement "The hacker didn't gain anything but I am out $1000." Who got the money then? It doesn't just disappear, and should be easily recoverable in the event of a fraudulent transaction.
Re: Re: seems straightforward
TR - To answer your question, when someone is refunded, that amount of money is debited from my bank. Therefore, I received a bill from Google around $800.
this did not answer the question
TR's main question is this: how can someone refund $800 when the original 'sale' was $0.01? Google does not let you do that. So, the perpetrator would have to be able to login to your account and pay himself / herself $800.00, straight up. Which implies that they knew your account login information. Which, to me, implies that the breach is independent of Ubercart. Nothing here indicates a flaw in the e-commerce software. Rather, all details strongly suggest social engineering / hacking and not technology hacking. Obviously, we are not privy to a list of your recent transactions, so we don't have all the data. But, what we do have simply does not indicate a flaw in Ubercart. At best it appears to me that Ubercart could be used somehow to put money in your account, not remove money from your account. Does any data you have indicate that the fraudulent transactions originated from your e-commerce web site? It sounds like they originated from within Google's system, i.e. the person logged in and did all this damage. Finally, no matter what, the note in the thread regarding how to report security issues is the most pertinent. We don't want to carry on conversations that would tell someone how to infiltrate a payment system using any piece of sofware, not in a public forum.
Re: this did not answer the question
justageek - I'll try to make myself a bit more clear regarding the $800. When someone purchases something for $100, then another person purchases something for $100, and then 6 different people do the same thing, then there is a total of $800 that can be refunded to 8 people. This is what he did. He refunded multiple people their purchases which totaled around $800. Google then took that money out of my bank account. There is NO possible way this person could have guessed my password. It's 12 characters and it's the only pass I use. I find it weird that this person went into the admin section of my site, did a .01 payment to my Google account, and was then given access. This is why I feel there is a security flaw in Ubercart. Only ubercart has the ability to "talk" to Google on my site. To answer someone else's question: No, Google did not tell me how they found out (decided) there was unauthorized activity. I assume they looked at the refund comments and figured it wasn't me spewing Israel B.S.
Re: seems straightforward
xurizaemon - I don't know if I agree or not as I don't know the internal workings of UC as well as the coders. I'm presenting a situation where security was breached and I lost money. I find it my responsibility to tell the community of the cart I use in case there is a security flaw. It's up to the developers to decide whether or not there is a security flaw or not.
edj #11 wrote Quote:I would
edj #11 wrote I would like to continue this discussion to figure out how the hacking was done. That's the way to go edj.... If it happened once, it can happen more often and if you don't resolve it, it can devastate your business or drive you insane I have a question on the GCO side of this matter.... Among the response from Google was: After reviewing your account again, I can confirm that there appears to be unauthorized activity in your merchant account. Did they tell you what that comment was based on. It could be useful helping you sorting out what went on. (Don't tell the exact cause here, you never know who is lurking here), but I just wondered if they have made a common statement in their mail or actually can help you on this. Best, BTW xurizaemon... also drupal.org suffers from it 
Re: edj #11 wrote Quote:I would
On the subject of security, if you are aware of any actual securities issues with any drupal modules including ubercart then you should inform the drupal security team: For the sake of anyone else using these modules it is best not to publish how someone is able to access your site through a vulnerability before the maintainers can at least have a chance to publish a fix.
Re: Re: edj #11 wrote Quote:I would
univate - I would not know what to report since I don't know how this person did what they did. I fell it's up to Ubercart to report this issue since they know more about their module than I do.
Re: Re: Re: edj #11 wrote Quote:I would
It doesn't matter that you didn't know how this person did it... the fact that there was a security breach of some sort shouldn't have been posted on a public message board, but sent discretely to someone who might be able to better provide information. If everyone were to learn of a vulnerability, then the chances of other users trying to exploit it goes up exponentially. I don't think there is a vulnerability here, so in this case it is probably okay, however next time submit a report either through a private message, an email, or the link that was provided to Drupal security above. Having said that, you mentioned you worked with the person you believe is responsible for this? Is it out of the question that, since the PW you used for Google is the "only password" you use, that this person could have logged it from your machine at some point during his tenure? Or, more nefariously, hacked into another account of yours? I'm just saying that, if this was a person you knew, then there's the possibility that no hacking was required.
Re: Re: Re: Re: edj #11 wrote Quote:I would
Torgos - I would appreciate you not lecturing me on the fact I stated on a public support forum my issue. I'm not the bad guy, here...understand? How am I to know who to "privately" contact? It wasn't until I posted my issue that I was given this information. If the mods on this board feel that what I'm stating is TOO public, they do have the ability to moderate the thread. This is a dead thread. So, answering your questions doesn't really help much. It's all assumptions as I have no idea if that person hacked anything else. I'm a bit irritated at this community in the fact I stated a serious hacking issue, yet I'm lectured as to what I shouldn't be doing to protect Ubercart's face. I'm going to uninstall Ubercart and leave this community.
Hi edj, No-ones saying you
Hi edj, No-ones saying you are the bad guy, its just concerns everyone the way this issue was posted. * Firstly your title and first post created the impression there was a major security issue with ubercart module - and it came across as you attacking the software without any evidence that it was a flaw in the software (if you attack people, people tend to attach back - its human nature). You will be more welcomed in a community if the first words are not an attack, especially if you don't have any evidence. If you don't know how the attack happened then ask questions rather then make accusations first. * Secondly we all discovered later on that you actually suspected someone you know who has had access to your site in the past and did development work for you - we don't know what exactly they did for you or what access they had but there is any number of thing that they could have left behind that gave them access to the site again in the future or information they had (e.g password that weren't changed). The fact is the human element is usually the weakest link in the security of a any system. Things like social engineering provide the easiest way to compromise a system rather then technical or software flaws. My post about security was for information purposes only... (you will see it wasn't even address to you or ubercart specifically but any drupal modules) if you know your system has been compromised and you know how it happened or have a reasonable idea how it happened then the first point of call should be to contact someone privately (I suggested the drupal security team, but if you contacted one of the maintainers here instead that also be good). You haven't posted enough information to say how the attach occurred (or enough for someone to help you secure your site). So I wasn't that concern with what was here already, but I was concerned about the ongoing discussion and if you had sensitive information on how the attack occurred then I didn't want you to post that in the public forum but rather alert someone privately so everyone running ubercart didn't become compromised as well - if that happened you would definitely be seen as the bad guy. Its not about protecting ubercarts face (the ubercart recently asked everyone to post what is wrong with ubercart so that can be considered for the next version), its about protecting the 1000's of the other members sites currently running ubercart from having to suffer the same as you. If you didn't know who to contact then you could have just posted something like "My google account was compromised and I think it might be due to a security issue in ubercart, where can I post the details so someone will look into this ASAP?"
Re: Hi edj, No-ones saying you
Edj, I apologize for coming across as lecturing you. That wasn't my intent - however there was a better way to go about the issue. I was simply trying to point that out. Regardless, I hope you are able to get to the bottom of the issue and get it resolved. If it does in fact, turn out to be an Ubercart vulnerability, you still should not post it here. Instead, follow the information provided here: http://drupal.org/security-team#report-issue |
|
Point being - there are MANY MANY more possible scenarios. And a flaw in UC is only one of many possible scenarios.