•   almost 12 years ago

Am I missing something, or is this an enormous security flaw with MintChip? (CSRF vulnerability)

Consider the following simple HTML page, copied to pastebin to preserve formatting: http://pastebin.com/yzJ7sgTh

Assuming the MintChip ID in the action URL is valid, this will immediately attempt to create a value message for 1 cent. What's the problem? This is done with no user interaction at all--and once the value message is created, the money is gone! You can see in the remote Mint Chip management UI that the money is deducted from your mint chip account.

The only thing stopping this from working is if the user is prompted for the client certificate; however, if you've already authenticated the client certificate (by going to remote.mintchipchallenge.com, for instance) and set it to remember your certificate, there will be no prompting at all. I've tested and confirmed this on Firefox and Chrome.

So my question is: what am I missing here? Are end users not supposed to have hosted MintChip accounts? Or is this just a cross-site request forgery exploit that was missed during development?


  •   •   almost 12 years ago

    I've been playing around with this more and found that having a local chip plugged into your computer, plus the MintChip web browser plugin that comes with the available Windows web code sample, has the same problem. See this pastebin for the basic idea: http://pastebin.com/LidxEJ7V

    Essentially, once the MintChip plug-in has loaded, you can use AJAX to perform a GET request that generates a ValueRequestMessage, then call the MintChip API to generate a ValueMessage from the ValueRequestMessage. At this point, again, the funds in your local mint chip are lost. Except with this method you can take things a step further by sending the value message back to the server, which can then accept it.

    So at this point, I'm operating under the assumption that since this is a development prototype that these security features simply aren't in place yet. All of the verification for end users, i.e. making sure that you are actually sending the value that you think you are sending, to whom you think you are sending it, is done on the "merchant" side, which is a recipe for disaster in the real world. With the MintChip plug-in installed, simply visiting a website could allow a user to steal all the money on any MintChip card you had on your phone or in your computer's USB slot.

    I'd be interested to hear any details on how these problems will be solved after MintChip moves out of the prototype phase.

  •   •   almost 12 years ago

    Good find. Let's hope they respond.

  •   •   almost 12 years ago

    I think this raises a more important issue with the final product (assuming one is ever released).

    How do you know who to trust? You can't track your money if it's stolen. You can't get a refund. If you have a hosted chip on a site with poor security, it's like leaving your wallet on the bus. And how do you know your plugins and apps aren't going to steal your money?

  •   •   almost 12 years ago

    I suspected these problems from the beginning and am happy someone has tested and confirmed the issue both with local and remote MintChip.
    If this is left unchanged, then MintChip has no future since it will be ridiculously easy for malicious applications to do their thing, even if the typical usage of a MintChip is supposed to be "only plug it in when you need it" (which brings up ease-of-use issues on most phones).
    If the MintChip is using 'standard' smartcard technology, as appears to be the case, then it should be easy to enable PIN protection.

Comments are closed.