Description

It is possible generate a CSRF Fixation in the transaction functionality. Authorization header is the public key, and It is always the same for payment links. An attacker can create a button with the content of a request and trick a user running a transaction to receive the app push notification and complete the request.

Impact

Spoof an authenticated user in the application by means of a modified link to execute critical transactions such as transfers or payments.

Recommendation

Make use of tokens in the forms for the verification of requests made by legitimate users.

Threat

Attacker from the Internet without authentication.

Expected Remediation Time

⏱️ 60 minutes.

Requirements

Fixes