Wibmo payment gateway flaw: Transactions with same OTP

Payment gateways, such as Wibmo, CCAvenue, and PayUbiz, facilitate payments on thousands of online portals. And customers implicitly trust them to secure their transactions. But, as reported by a security researcher, a flaw in the logical design of a previous version of Wibmo payment gateway put its customers at risk. This was because the payment gateway did not distinguish between transactions initiated within the same time frame.

Payment gateways serve as a channel of communication, between merchants and banks, to conduct secure transactions. The gateway encrypts the transaction information, which includes the credit/debit card number, CVV, expiry date, etc. And passes on the information to the payment processor, which acts as the link between the user bank and merchant bank. The gateway confirms the payment, unless the information is incorrect. Then, the processor settles the payment with the merchant’s bank.

Flow of payment gateway transactions
Flow of payment gateway transactions

One Time Passwords for gateways

In order to secure transactions, 3-dimensional payment gateways add time-based One Time Passwords (OTPs) as an additional layer of authentication. The payment gateway only accepts time-based OTPs submitted within the permitted time frame. After which the OTP is not valid. Even though this additional layer of authentication should secure transactions, a vulnerable gateway, could reduce its efficacy. A payment gateway that is not able to distinguish between transactions, could permit unauthorized transactions.

Flaw in the design of Wibmo Payment Gateway

  • Wibmo fails to distinguish between transactions processed during a single 180 second time frame.
  • So, the OTP generated for a transaction is valid for other transactions, in the same time period. Irrespective of the amount or geo-location.
  • This vulnerability increases the possibilities of a man-in-the-middle attack (MITM) by which the attacker forges the request. 
  • And if the OTP remains unused for the first few seconds or minutes, it allows attackers to conduct fraudulent transactions within the validity period of the OTP.

Explaining the flaw through a scenario

  • A user initiates a legitimate transaction for Re.1.
  • They receive an OTP, on their registered mobile number, which is valid for 180 seconds.
  • Before the user applies the OTP for that transaction, an attacker intercepts the OTP and uses it to process a transaction for Rs.1000. Irrespective of the attacker’s location, and transaction amount, the fraudulent transaction is considered legitimate. And the attacker successfully receives the amount.

    Wibmo payment gateway flaw: Sample scenario that exploits Wibmo flaw
    Sample scenario that exploits Wibmo flaw

Verification of the Wibmo Payment Gateway flaw

CloudSEK’s research team tested Wibmo with various banking systems to confirm the flaw. We found that the same OTP is valid for 180 seconds or more, for any transaction, provided the OTP has not been used already. The screenshots below prove the same:

Wibmo payment gateway flaw: Parallel transactions generating the same OTP
Parallel transactions generating the same OTP

Conclusion

With the increasing number of online transactions, flaws such as Wibmo’s make users vulnerable to threat actors. Apart from financial losses, it could impact the reputation of the payment gateway, and the online portals using it.

Note: Wibmo became aware of this flaw on the 3rd of August, 2019. The security team at Wibmo closed the issue and marked it as a known functionality on August 12, 2019. And publicly disclosed the flaw on August 25, 2019. Wibmo recommends that portals using its payment gateway should fix the vulnerability, to avoid security incidents.