Closed lilbumblebear closed 1 year ago
Hi @lilbumblebear. Thank you for your report. To help us process this issue please make sure that you provided the following information:
Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release
For more details, please, review the Magento Contributor Assistant documentation.
Please, add a comment to assign the issue: @magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel.
:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
:clock10: You can find the schedule on the Magento Community Calendar page.
:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.
:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel
:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel
Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
[ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).Details
If the issue has a valid description, the label Issue: Format is valid
will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid
appears.
[ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description
label to the issue by yourself.
[ ] 3. Add Component: XXXXX
label(s) to the ticket, indicating the components it may be related to.
[ ] 4. Verify that the issue is reproducible on 2.4-develop
branchDetails
- Add the comment @magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
[ ] 5. Add label Issue: Confirmed
once verification is complete.
[ ] 6. Make sure that automatic system confirms that report has been added to the backlog.
any updates on this? seems like there is a security issue here with stored payments being shown on stores without the same processor credentials
@lilbumblebear: I fail to see how this is an issue when the customer account is shared across multiple websites? If it would happen when the "Customers > Customer Configuration > Account Sharing Options" setting is set to "Per Website", then this would be a valid issue. But that's not the case here if I understand you correctly? The creditcard info belongs to the customer, not to the payment method, right?
@hostep I understand your point, however, a vault payment token should technically be tied to the customer AND store in which it was used.
Sharing customer accounts across websites does not mean the websites share payment processor information.
Ex: Braintree credentials are saved at the store_view level. Let's say a store owner has 2 brands, each brand has its own website. Most processors require different accounts for each of these websites in order to display the correct brand in the transaction description. The customers can order from either website, with a shared account, but cannot use the same vault tokens because they are different processor accounts.
Hmm okay, this is pretty complex apparently and far beyond my knowledge 😄
@nathanjosiah: since this could be a potential security related issue, I'm including you here, but if you're not the right person, feel free to include people in here that know more about this functionality.
I don't think there are any security issues here. Based on the description of the problem it does look like a valid bug but I expect the only unexpected/bad behavior with this would be an error message if a token was used for a different payment account than what it was created for.
CC @vkublytskyi
Hi @engcom-November. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
[ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).Details
If the issue has a valid description, the label Issue: Format is valid
will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid
appears.
[ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description
label to the issue by yourself.
[ ] 3. Add Component: XXXXX
label(s) to the ticket, indicating the components it may be related to.
[ ] 4. Verify that the issue is reproducible on 2.4-develop
branchDetails
- Add the comment @magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
[ ] 5. Add label Issue: Confirmed
once verification is complete.
[ ] 6. Make sure that automatic system confirms that report has been added to the backlog.
Verified the issue on Magento 2.4-develop branch and the issue is reproducible. Admin:
Front end - Stored card info is displayed however payment is not working. Page not loading.
:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-2016 is successfully created for this GitHub issue.
:white_check_mark: Confirmed by @engcom-November. Thank you for verifying the issue.
Issue Available: @engcom-November, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
@nathanjosiah I think there is a security issue here.
Consider a case where the payment gateway gives weak / colliding tokens. This is fine, because the token means nothing to us, and the association with actual payment happens at the payment gateway side. Let's say (for ease of discussion here) that the payment gateway gives sequential numeric identifiers per account as its tokens.
With the above, let's follow the flow of two users in Magento using the Vault.
Vault1
from the payment gateway.Vault1
from the payment gateway.Vault1
for Sandbox1 and takes payment. All is well.Vault1
for Sandbox2 and takes payment. All is well.Vault1
for Sandbox2 and takes payment from the wrong person. Magento thinks all is well, as the payment gateway reports that it has successfully transferred funds.Another similar problem could exist if the website administrator changes the payment gateway account credentials. For example (following on from above):
Vault1
from the payment gateway.Vault1
for Production1 and takes payment from the wrong person. Magento thinks all is well, as the payment gateway reports that it has successfully transferred funds.From what's being described here, no collisions have been detected so far. (This is most likely because payment gateways are likely producing globally unique tokens.) When there's no collision, the payment gateway is rejecting the token and the user gets an error.
Yes, the token belongs to the user, but also to the payment method / gateway account. When these match what's on the store being visited, the Vault payment methods / options should show. When either is not applicable, the Vault payment methods should not be displayed.
:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-2901 is successfully created for this GitHub issue.
:white_check_mark: Confirmed by @sidolov. Thank you for verifying the issue.
Issue Available: @sidolov, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
@sidolov why was this closed? The labels suggest that this has been 'done', but I don't see any details here about what has been changed in order to fix this.
Hello,
As I can see this issue got fixed in the scope of the internal Jira ticket AC-2901 by the internal team Related commits: https://github.com/search?q=repo%3Amagento%2Fmagento2+AC-2901&type=commits
Based on the Jira ticket, the target version is 2.4.7-beta2.
Thanks
Preconditions (*)
Steps to reproduce (*)
Expected result (*)
Actual result (*)
Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.