A flaw in our Credit Card Verification process was reported that could have allowed an attacker to avail themselves of a Xero Subscription without paying for it, for a month at most. This was rated as non-critical and was quickly fixed. Mitigation measures were in place to detect any abuse and we have no reports of this flaw ever being exploited. While reviewing the application, I identified that there was functionality that was restricted to paying users, such as adding unlimited users, file storage, bank feeds, multiple currencies, etc. In order to access these features and continue usage after a trial period a user must complete a credit card payment through paymentexpress. I identified that paymentexpress integration is insecure and allows an authenticated attacker to obtain access to a premium account, thereby affecting the integrity of the system and possibly internal Xero accounting systems.
I did not verify at the time whether this also allowed users to abuse other sections of the application, such as paying for invoices.
After a failed payment, paymentexpress redirected users to
/!xkcD/Dps/Authority/Fail?result=XX&userid=XX. Exploitation of this issue was triggered by changing the URL so that it pointed to "Success" instead of "Fail":