14 DAY TRIAL // Blackhawk Network repaired a flaw in its GoWallet mobile application that allowed an unauthorized party to view gift card transactions by simply changing the card identification number in the request to the server.
GoWallet is a convenient app that offers management of different types of gift cards from a single place. It makes available balances, provides protection if the item is lost or stolen, and allows exchanging unused gift cards.
Two-factor authentication failure
Randy Westergren, senior developer at XDA Developers and security researcher in his spare time, noticed that upon requesting the transactions of a card, GoWallet requires authentication of the card and then issues a user token, after the user has already been verified.
A double authentication was performed by the app, based on the ZIP code, card number and the last four digits of the phone number in order to release the user token. However, this happened in the background and the user would not be prompted to provide the information.
Westergren said that at the time of the experiment GoWallet did not display the transactions, most likely because of a glitch, although the response to the requests were honored by the server, so the information was available in the traffic to the app.
“Using a two factor authentication scheme is certainly a best practice when dealing with highly sensitive information. The problem is that the other required pieces of information (phone number, zip code) were already being returned by a previous API request, making it useless as a 2FA method,” he wrote in a blog post on Saturday.
Card ID essential in getting list of transactions
Starting from this observation, the researcher tried to pull in transaction requests using a different, older card, but replaced the card number value with that belonging to one currently in use.
Authenticated with the data for the old card, he was able to see all the transactions for the newer one, which was not associated with the account he used for the test. In simpler terms, an unauthorized individual could have accessed the information of any card in the system by just changing the identification number.
The risk associated with the security flaw consisted in viewing information associated with the transaction, including balance, name of the merchant a purchase was made at, as well as the amount of the transaction, the researcher said in a Twitter conversation.
Westergren created a proof-of-concept (PoC) demonstrating the flaw and made responsible disclosure of the issue.
According to the timeline of the disclosure process, Blackhawk Network was prompt in addressing the problem and pushed a fix three days after receiving the report and the PoC.
GoWallet can be used with gift cards, including reloadable ones, from different vendors of financial services, such as Visa, PayPal (via MasterCard). However, the service provided by Blackhawk Network also offers support for prepaid plans from mobile carriers for both data and voice.