Authentication & Authorization Bypass in mpp Payment Handler - Request Replay and Session Hijacking
mpp versions before 0.8.0 contain multiple authentication bypass vulnerabilities allowing attackers to replay payment requests, hijack session channels, and manipulate fee responsibility. This PoC matters for defenders as it demonstrates systemic weaknesses in request validation and session management that affect financial transaction integrity.
CVE References
Affected
Vulnerability Analysis
Root Cause & Impact: The mpp library fails to implement proper cryptographic request binding and session validation mechanisms. The vulnerabilities span multiple attack surfaces: (1) tempo/charge handlers lack request idempotency tokens or signatures, enabling free transactions and replay attacks; (2) tempo/session channels lack proper authentication checks, allowing unauthorized access and griefing; (3) fee payer fields are not properly validated or immutable, permitting fee responsibility manipulation. These represent critical authentication and authorization failures affecting financial integrity.
PoC Significance: This disclosure proves that the library's payment processing core lacks fundamental security controls expected in financial systems. Request replay attacks are trivially reproducible given observable network traffic. Session hijacking requires minimal authentication context. The vulnerabilities affect both primary transaction flows (tempo/charge, stripe/charge) and session management (tempo/session), indicating architectural rather than isolated implementation flaws.
Detection Guidance: Monitor for: (1) Duplicate charge request IDs within short timeframes; (2) session channel access from unauthorized clients or IPs; (3) Fee payer modifications mid-transaction; (4) Multiple charge requests with identical amounts/timestamps from same source; (5) Unusual session channel reuse patterns. Log all authentication failures and invalid session access attempts. Implement request signature validation logging to identify unsigned or malformed requests.
Mitigation Steps: Immediately upgrade to mpp 0.8.0 or later. No workarounds exist for these vulnerabilities, making patching mandatory. Implement additional controls: enforce request signing with cryptographic nonces, add session token rotation, implement rate limiting per client/session, validate fee payer immutability at transaction commitment, log all payment operations with full context.
Risk Assessment: Exploitation likelihood is very high in production environments—request replay and session hijacking require no special privilege escalation. Threat actors actively target payment systems; this vulnerability class (authentication bypass in financial handlers) is consistently exploited. Organizations running unpatched versions face immediate risk of unauthorized charges, griefing attacks disrupting service availability, and financial loss through manipulated fee allocation.
Sources