I found this little gem on Reddit that talks about a flaw in MasterCard’s recent hashing technique. The author claims to have found a previous vulnerability in the MasterCard’s hosting system and that he reported the bug and received some cash for his efforts. He goes into a bit of detail about what that exploit was and this gives a bit of weight behind his next claim that it is still vulnerable after the update. His explanation is technical, but he tries to break it down. The bug allows for you to send a string that is a valid request and response from the MIGS server, while injecting something into the string that will still generate a correct hash. The article then claims this vulnerability is with the hashing itself and should be fixed on MasterCard’s end.
The important question the author of this article is trying to make is that his bounty reward for finding the first bug was 8,500 dollars from MasterCard and 400 dollars from Fusion Payments. With this new exploit, they have just ignored his repeated requests to talk with MasterCard. He claims that with such low bounty rewards and how difficult it is to get in contact it doesn’t incentivize people to come forward with this information. He poses the question of how many black hat hackers are already taking advantage of it.
It is interesting how MasterCard doesn’t seem to want to promote people from giving them exploits in their system. You would think they would fear a major hack, but it seems like they are just hoping everything will be okay. I’m sure they have a security team, but you would think they would try to motivate people to come forward with this information. Perhaps it’s another case of negligence until it blows up in their face.