Credit Card System Vulnerability (PHP, cURL, VERIFYPEER)
On July 14th I found that SSL certificate verification had been disabled in a major credit card processor's PHP API and I began a responsible disclosure process with the vendor. Through this process it was identified that this problem was not unique to this vendor, but rather, it affected a wide variety of major payment processors and e-commerce application packages.
Throughout this disclosure I contacted the CBA (Canadian Bankers Association) the Privacy Commissioner of Canada and the Canadian Cyber Incident Response Centre (a division of Public Safety Canada) who helped with a six-month process of identification and responsible notification of the as many affected vendors as possible.
During this process new PCI-DSS encryption standards were released that cover the vulnerability, and vendors should promptly review their compliance with these new PCI-DSS standards.
Today, CCIRC is releasing the technical details of this vulnerability http://www.publicsafety.gc.ca/prg/em/ccirc/2011/in11-003-eng.aspx as IN11-003 to inform any other vendors that we have not been able to contact.
Full disclosure of affected libraries, and a paper describing the breadth and scope of this vulnerability will follow in the new year. It is my hope that with this technical information now public, vendors of affected software can begin the process of disclosure and notification to end-users and customers about the potential that their credit card, name, address and purchase information may have been intercepted while shopping online.
This is not a new vulnerability, and in-fact I wrote a strong warning about this very issue in my 2008 book Pro PHP. This vulnerability exists entirely in the vendor's API software and does not represent any issue with PHP or cURL themselves. Affected software must be patched directly on e-commerce websites, however, in most cases, automated patching mechanisms do not exist for central use by the affected vendors and manual upgrading will need to be performed by merchants themselves.
I would like to thank Tamir Israel from CIPPIC for providing much needed legal advice and support, as well as Christopher Parsons for sharing his resources, being a confidential sounding board and acting as a secure secondary storage location while this vulnerability was being disclosed.
In the new year, we will reveal the history of the bug, the affected vendors and their responses to this vulnerability. We will discuss the need for reforms in privacy law, the responsible disclosure system and in breach notification.
If you are an affected vendor, I suggest you contact the Privacy Commissioner of Canada and/or the Canadian Cyber Incident Response Centre for further mitigation advice.