Source: http://habrahabr.ru/post/228219/ (via world-of-ru, LJ user Wisejew) An interesting article appeared on the abovelinked portal about World of Tanks payment security. In it, a Russian programmer of payment portals takes a look at the security of various paying portals, including – yes, you guessed right, the Wargaming premium shop. The author states that he analyzes weaknesses of various payment systems and runs over and over again into the same vulnerability, called… and now, I have no idea how to translate it, because I am not a programmer. In Russian it’s “инкрементальные айдишники” – in English, it would be something like… incremental ID’s? If there is a programmer amongst the readers, please explain to us what that means :) Anyway, back to World of Tanks portal. After making an order, the client redirects the user to an URL in following format: http://aggregator-domain/ok.php?payment_id=123456 Which in turn redirects the client to the URL of the game in following format (decoded by the author for easier reading, from Russian server eg. the currency is Russian): https://online-game-domain/shop/?…am...38;item_name=1 day of premium account The author states that if you figure out the value of the payment_id parameter, you will be able to see login of the user in the game, their purchases etc. Wargaming shop is just one of the examples, cited by the author. He concludes the post with a statement that due to sloppiness of programmers, in the case above, a possibility is introduced for hackers to mine personal and account data from the purchases. He also comments on the solution (to use something called “token” and “an arbitrary string”). From there on (especially the comments) it gets technical. I wonder though – how much are our data really protected and since Wargaming already had some large account data leaks (remember that “change your password for gold” event? That wasn’t just because Wargaming is nice and cares about our security, it was because on RU server, a certain amount of account data got leaked (and the accounts got hacked).

More...