7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
74.4%
Aptexx Resident Anywhere does not require authentication to view and modify sensitive information contained in direct account and payment URLs, which can be leveraged to bypass authentication and access user accounts.
CWE-288**:**Authentication Bypass Using an Alternate Path or Channel - CVE-2014-4882
Aptexx Resident Anywhere, an online payment processing and maintenance request handling service for property managers, does not require authentication to view and modify the account information of its users. Anyone with knowledge of a direct account URL or the ability to guess one can gain account access, bypassing authentication. Account access enables a user to view and modify account data and to submit payments and requests.
A remote, unauthenticated attacker with access to a specific URL can acquire the last four digits of any stored payment account numbers, as well as the name, address, email address, phone number, and payment history of the victim user. The attacker can modify or remove account information, set a new password, and submit fraudulent maintenance requests and payments using stored payment methods.
The CERT/CC is currently unaware of a practical solution to this problem. Until this vulnerability is addressed, Aptexx users should consider the following workaround:
Do not store sensitive information
Do not store sensitive information, specifically payment (credit/debit card or bank account) information with Aptexx until this vulnerability has been resolved. Current users should consider removing sensitive information from their Aptexx accounts.
595884
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 28, 2014 Updated: July 01, 2015
Statement Date: June 30, 2015
Affected
Aptexx is diligent in its protection of customers Personal Identifying Information (PII) as defined Fed. Reg. 15736-15754 - “Sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.”
The only information available to anyone who logs into Aptexx using the link referenced by CERT is a user’s First and Last Name. The account page does not display full credit card numbers, debit card numbers, or bank account numbers. This information resides in a different system controlled by a PCI Level 1 compliant third party and is not accessible via the payment URLs or by Aptexx. No personal bank account, credit card, or debit card information can be accessed or otherwise derived from the payment URLs. The URLs are only sent via e-mail or text message to users who have been previously authenticated by our clients. Each link is comprised of a randomly generated GUID. There is no inherent risk in displaying the last 4 digits of a bank account number or debit/credit card as that information is not sufficient to fraudulently issue transactions on an account. .
In 2014, Aptexx made the change recommended by CERT that requires users to authenticate with a username and password in order to access their account. In addition, Aptexx undergoes annual 3rd party infrastructure and application security penetration tests and resolves all issues as recommended by the independent 3rd Party.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.8 | E:POC/RL:U/RC:C |
Environmental | 2.0 | CDP:MH/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Claus Jensen for reporting this vulnerability.
This document was written by Todd Lewellen and Joel Land.
CVE IDs: | CVE-2014-4882 |
---|---|
Date Public: | 2015-06-08 Date First Published: |