|
|
| Line 92: |
Line 92: |
| | align="center" style="background:#f0f0f0;"|'''Notes''' | | | align="center" style="background:#f0f0f0;"|'''Notes''' |
| |- | | |- |
| | 1||Compromise Paypal API Key||The Paypal API key is used for communication with paypal and identifies Mozilla. If this key is leaked, it is possible to impersonate Mozilla to Paypal.||Separation of payment systems from the rest of AMO. Incident response process to include communication with payal to disable API key. Proper CEF logging key.||Skilled Attacker||12||3||4 – Reputation|| | | | 1|||||||||||||||| |
| |- | | |- |
| | 2||Compromise AMO database||Currently, customer's paypal information resides in the AMO database. If the AMO database is compromised this would include paypal information.||Separation of payment data from the rest of AMO. Incident response process to include communication with payal to disable pre-auth keys. Proper CEF logging key.||Skilled Attacker||12||3||4 – Reputation||for an actual compromise, this would require the paypal API key as well. | | | 1|||||||||||||||| |
| |- | | |- |
| | 3||malicious access to apps device ||If a phone is stolen or given to a friend/family member, it is possible for that person to make purchases.||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal wiht stolen phone.||Malicious User||12||3||4 – Reputation||In other systems (i.e. iOS, this i a configured parameter. | | | 1|||||||||||||||| |
| |- | | |- |
| | 4||Malicious extension could steal browserid credentials ||A rogue extension could possibly steal credentials or cause transactions to happen.||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials.||Malicious Developer||12||3||4 – Reputation||It is not possible to siphon funds to any paypal account. Must be registered with marketplace. | | | 1|||||||||||||||| |
| |- | | |- |
| | 5||Malicious App creates fake iframe ||An app could create an iframe in order to overlay a purchase iframe. ||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | | | 1|||||||||||||||| |
| |- | | |- |
| | 6||Malicious App creates fake iframe ||An app could create an iframe in order to overlay a purchase iframe. ||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | | | 1|||||||||||||||| |
| |- | | |- |
| | 7||XSS vuln could allow malicious user to force purchase ||If a XSS is found in the marketplace, this could be used to force a purchase. ||A PIN is to be implemented that is required for purchases and in-app purchases. enable CSP on the marketplace site. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | | | 1|||||||||||||||| |
| |- | | |- |
| | 8||CSRF could force purchase. ||If a XSS is found in the marketplace, this could be used to force a purchase. ||A PIN is to be implemented that is required for purchases and in-app purchases. enable CSRF protection token on the marketplace site. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | | | 1|||||||||||||||| |
| |- | | |- |
| |} | | |} |