Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Unsecured payments on Menupages.ie

  • 17-05-2017 6:45pm
    #1
    Earth Traveller
    Registered Users Posts: 43


    I do not normally use Menupages.ie but, on the recommendation of a friend, I went to the website to buy a voucher for a meal at a restaurant. After I filled out my personal details, I was sent to an unsecured page to enter credit card details (number, expiry date, 3 digit code). The Chrome page was showing the 'Info or Not secure' symbol in the top left corner. Naturally, I closed the page immediately.

    I am no web security expert but it seems rather irresponsible for an on-line merchant to request credit card details like that. What do you think? Menupages is not answering its phone line.


Comments

  • #2
    [Deleted User]
    Posts: 0 [Deleted User]


    Hey,

    You had me curious so I fired up Wireshark and Burpsuite.

    I selected a random deal from their main page and filled out the details, all this information was sent over HTTP via a POST request in plaintext.

    So this information is fully visible to anybody who intercepts your traffic. This includes email, phone number, location but no payment details.

    After submitting this info I was redirected to http://deals.menupages.ie/pay which requests my credit card info and as you stated my connection to this site is HTTP and not HTTPS.

    So I dipped into the page source to see whats going on with the validation.
    I noticed the following script within the page
    (function ($) {
    $(function () {
    Stripe.setPublishableKey('pk_live_XXXXXXXXX');
    });
    })(jQuery);

    This is Stipe.js which allows client side javascript securely communicate with a payment vender. This is important because it means deals.menupages.ie never actually handles your credit card details nor does any information you enter get sent to deals.menupages.ie.

    This is a simple solution for small venders to bypass the compliance needed to handle PII.

    Hope this clears things up :)


Advertisement