“iPortis.com provides e-commerce payment acceptance and product delivery solutions focused on exceptional customer service. We offer a secure, reliable, and affordable transaction processing platform for a wide range of electronic and physical goods and services. iPortis.com makes it easy to increase your sales by making your Products available for secure online purchase with Visa, MasterCard, American Express, Discover/Novus, JCB, and PayPal.” — I have taken the quotes from the home page of iPortis.com. According to their statements selling product through iPortis is secure and reliable but how much it is?
Few months ago, someone informed me about a desktop application, AllMyNotes Organizer. I tried the demo version, liked it and wanted to use it for some more days but as it was a demo version it had a limited life time. To get a licensed version, I went to their site and when clicked on the ‘Buy Now’ button it then redirected me to iPortis.com site. For a while I was thinking why the selling process is through a third party company?
Later on I played a bit with that e-commerce provider’s security and found that the site itself is not secure enough to provide such a responsible service to its clients. Many utility types of software like Make The Cut, Product Key Explorer, BestSync 2010 – Premium, AllWebMenus Pro, G-Lock EasyMail 6 etc. are usually sold through iPortis. There are hundreds of such softwares I have found in their site where almost all of them can be bought from iPortis without expending a single penny. The vulnerability is found in their order form. In the orderform.php page there is a hidden field, test_order, if you can set this parameter’s value ‘yes’ and submit the form, the application assumes it’s a test order as a result it does not ask for any credit card information in the final checkout page. But still it sends a valid registration code for the product. I guess, this vulnerability is left by the developers intentionally as a feature to ease the testing.
I tried to communicate with them about this security problem through their one of the clients, Vladonai Software. This company ensured me that the problem is fixed for their product but not sure about other products. No, they did not fix it after six months of my reporting which means may be they are not taking this as a serious issue.
As a proof of concept I have created a video to demonstrate the problem, but I would request my visitors not to collect the valid serial keys from their site in my described way. After all it is their business. Here’s the video:
Video: Insecure iPortis
Note: iPortis.com informed me that the mentioned security problem is fixed now.