I tested the module and while i was on sofortüberweisung.de, logged into my bankaccount and havig gotten a mobile tan, i waited to long so the timeout limit was reach. when i then entered the mobile tan i was transfered back to the ecommerce site but received the following error (which includes our project passwort, I changed it here)

Array ( [transaction] => [user_id] => [project_id] => [sender_holder] => [sender_account_number] => [sender_bank_code] => [sender_bank_name] => [sender_bank_bic] => [sender_iban] => [sender_country_id] => [recipient_holder] => [recipient_account_number] => [recipient_bank_code] => [recipient_bank_name] => [recipient_bank_bic] => [recipient_iban] => [recipient_country_id] => [international_transaction] => [amount] => [currency_id] => [reason_1] => [reason_2] => [security_criteria] => [user_variable_0] => [user_variable_1] => [user_variable_2] => [user_variable_3] => [user_variable_4] => [user_variable_5] => [created] => [project_password] =>abcdefghijklmn123 [verified] => )<

The problem is, that the project passwort is transmitted unencryptioned so any user could by this way get the project passwort of a shop. I believe this is a major security issue.

Comments

jurgenhaas’s picture

jurgenhaas
he/him
Primary language German
Location Gottmadingen
commented
Status: Active » Fixed

Thanks for reporting this. I can confirm that this could have happend just in case of a timeout and if the customer regardless continued to process. This has been fixed in the 1.5 release.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

janton’s picture

janton commented
Status: Closed (fixed) » Needs review

so this problem is fixed in the development version and not in 1.4 ????
then i really need to change to the development version i think!

jurgenhaas’s picture

jurgenhaas
he/him
Primary language German
Location Gottmadingen
commented
Status: Needs review » Closed (fixed)

Comment #1 stated that is was fixed in version 1.5 as it was reported against 1.3 at a time when 1.4 was already published. For some reason, the fix was committed and available in the dev release but the 1.5 release wasn't made available. I've just completed that process now and the 1.5 release is now available.