Unsecured payments on Menupages.ie

Earth Traveller · 17-05-2017 05:45PM #1

I do not normally use Menupages.ie but, on the recommendation of a friend, I went to the website to buy a voucher for a meal at a restaurant. After I filled out my personal details, I was sent to an unsecured page to enter credit card details (number, expiry date, 3 digit code). The Chrome page was showing the 'Info or Not secure' symbol in the top left corner. Naturally, I closed the page immediately.

I am no web security expert but it seems rather irresponsible for an on-line merchant to request credit card details like that. What do you think? Menupages is not answering its phone line.

17-05-2017 09:45PM

Hey,

You had me curious so I fired up Wireshark and Burpsuite.

I selected a random deal from their main page and filled out the details, all this information was sent over HTTP via a POST request in plaintext.

So this information is fully visible to anybody who intercepts your traffic. This includes email, phone number, location but no payment details.

After submitting this info I was redirected to http://deals.menupages.ie/pay which requests my credit card info and as you stated my connection to this site is HTTP and not HTTPS.

So I dipped into the page source to see whats going on with the validation.
I noticed the following script within the page

(function ($) {
$(function () {
Stripe.setPublishableKey('pk_live_XXXXXXXXX');
});
})(jQuery);

This is Stipe.js which allows client side javascript securely communicate with a payment vender. This is important because it means deals.menupages.ie never actually handles your credit card details nor does any information you enter get sent to deals.menupages.ie.

This is a simple solution for small venders to bypass the compliance needed to handle PII.

Hope this clears things up

Unsecured payments on Menupages.ie

Comments