Data security issue for payment link

[sinfonie]

Magento version: 2.4.7-p2
PayNow version: 1.5.6

If we have a payment link, e.g. /paynow/payment/retry/order_id/81, it is possible to provide another order number (it must be an order that will of course pass controller validations like isRetryPaymentActiveForOrder and checkIfPaymentStatusIsPending). It is therefore possible to simply substitute the number, e.g. 82.

/paynow/payment/retry/order_id/82. The problem is that after going to the bank, the customer's email is visible, among other things.

If someone has placed a guest order, anyone who tries to use that controller with the order ID will have access to make that payment. It seems that this controller is not justified. It is used e.g. in My account for repayment it would be better to add a secure link there which (which is the end result of redirecting the controller)

[paynow-support]

Hello,

The payment recovery process is closely linked to the order number assigned by the shop. The transaction is identified by this number by magento.

When a transaction has been initiated by user X and he does not complete this transaction, the indicated email address will also be visible when using the payment recovery mechanism.

If you could outline the situation in more detail with screenshots, I would be grateful.

As for the payment link, it contains the Paynow order number + token:

https://paywall.sandbox.paynow.pl/REMP-I23-LQG-YCL?token=XXX

[sinfonie]

Sure, here is the scenario and screenshots that illustrate the issue:

Scenario: The customer places an order as a guest with order ID 33. For some reason, they do not complete the payment, allowing the order to still be payable. An unauthorized person can use the paynow/payment/retry controller by randomly inputting order numbers. By entering <store_domain>/paynow/payment/retry/order_id/33 in the address bar, they are redirected to the PayNow page, which displays the customer's email among other details. This exposes a significant security vulnerability as this controller allows unauthorized access to sensitive customer information.

Problem: The main concern here is that this controller, which appears unnecessary, could potentially be exploited to access confidential customer data. This issue underscores the need for a more secure mechanism.

Proposed Solution: Instead of using the controller link for payment renewal in the 'My Account' section, it would be prudent to implement a hashed or encrypted direct link to the payment interface. This approach would ensure that all validation or repayment is handled securely at the block level, which benefits from non-caching, enhancing overall security.

Shipping step

BIlling step

If You type https://test-dmn.ngrok-free.app/paynow/payment/retry/order_id/33 (any other user)

Now you are redirected to paynow page where customer email is visible.

Thank you for considering this security concern. I look forward to your feedback and hope for a prompt resolution to ensure the privacy and security of customer data.