297
edits
Security/Reviews/CloudServices/Marketplace Payments: Difference between revisions
Security/Reviews/CloudServices/Marketplace Payments (view source)
Revision as of 18:48, 25 March 2015
, 25 March 2015→Threat Model: add edited threat model from Ray's deprecated review
(→B. Firefox OS / Android: remove unnec table) |
(→Threat Model: add edited threat model from Ray's deprecated review) |
||
| Line 190: | Line 190: | ||
| align="center" style="background:#f0f0f0;"|'''Rating''' | | align="center" style="background:#f0f0f0;"|'''Rating''' | ||
| align="center" style="background:#f0f0f0;"|'''Likelihood''' | | align="center" style="background:#f0f0f0;"|'''Likelihood''' | ||
| align="center" style="background:#f0f0f0;"|'''Impact''' | | align="center" style="background:#f0f0f0;"|'''Impact''' | ||
| align="center" style="background:#f0f0f0;"|'''Notes''' | | align="center" style="background:#f0f0f0;"|'''Notes''' | ||
|- | |- | ||
|- | |- | ||
| 2|| | | 1||malicious access to apps device ||If a phone is stolen or given to a friend/family member, it is possible for that person to make purchases.||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal wiht stolen phone.||Malicious User||12||3||4 – Reputation||In other systems (i.e. iOS, this i a configured parameter. | ||
|- | |||
| 2||Malicious extension could steal authentication credentials ||A rogue extension could possibly steal credentials or cause transactions to happen.||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials.||Malicious Developer||12||3||4 – Reputation|| Must be registered with marketplace. | |||
|- | |||
| 4||Malicious App creates fake iframe ||An app could create an iframe in order to overlay a purchase iframe. || CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 5||Malicious App creates fake iframe ||An app could create an iframe in order to overlay a purchase iframe. ||CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 6||XSS vuln could allow malicious user to force purchase ||If a XSS is found in the marketplace, this could be used to force a purchase. ||CSP is enabled on Payments. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 7||CSRF could force purchase. ||If a XSS is found in the marketplace, this could be used to force a purchase. ||CSRF protection token on the marketplace site. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |- | ||
| | | 8||Compromise web heads||The attacker could then leverage their access to attack other parts of the application environment or to serve arbitrary/manipulated content to users.||Mitigation possibilities are being discussed.||System access||12||3||4 – Reputation|| | ||
|- | |- | ||
|} | |} | ||
[[image:TEMPLATE-Threat-Model.png|thumb|TEMPLATE Implementation Dataflow]] | [[image:TEMPLATE-Threat-Model.png|thumb|TEMPLATE Implementation Dataflow]] | ||