On Monday, June 28, 2004, 12:31:06 AM, you wrote:
> Mark Geisinger wrote:
>> Wondering if Website Buildermight be useful for an entry level
>> e-commerce site, and being curious how it's handling the payment
>> gateways in JavaScript, I set up a trial account and had a look at
>> the checkout page. Much to my surprise, I found that the Authorize.net
>> login name and transaction key are in clear text in the generated
>> page. The login name is in a hidden form field, and the transaction
>> key is assigned to a variable in call_sub().
>>
>> Does anyone at Tucows think this is a really, really, bad idea?
> Is the "transaction key" that you speak of the same as the account
> password?
While they are two discrete values for Authorize.net, the answer to your
question is yes. Absent a transaction key being established for a merchant
account, the account password can be used in x_password.
> It would take someone about five seconds to guess our account login, so
> AFAIC embedding it in a generated page's source is somewhat stupid, but
> harmless. Embedding the account password, on the other hand, would be
> quite serious.
> I'm looking at some code I wrote for the AuthorizeNet 3.1 gateway and
> there are two form fields are clearly named "x_login" and "x_password".
> In this trial account, have you actually set it up to use your
> AuthorizeNet account so that you can verify that this "transaction key" is
> indeed your account password?
Hu? There is no need to either use an actual account's credentials, or verify
anything beyond the fact that the login name and transaction key is in the
source in clear text. Here's the source with the login of "bubba" and the
transaction key of "bubbafied".
function call_sub(frm_obj)
{
loginid = frm_obj.x_login.value;
sequence = frm_obj.x_fp_sequence.value;
frm_obj.x_fp_timestamp.value = tstamp;
tstamp = frm_obj.x_fp_timestamp.value;
amount = frm_obj.x_amount.value;
txnkey = "bubbafied";
currency = frm_obj.x_currency_code.value;
data = loginid + "^" + sequence + "^" + tstamp + "^" + amount + "^" + currency
;
var fingerprint = hex_hmac_md5 ( txnkey, data );
frm_obj.x_fp_hash.value = fingerprint;
frm_obj.x_invoice_num.value = frm_obj.x_fp_sequence.value + "" + parseInt(
(Math.random()*10000) );
frm_obj.submit();
return true;
}
<input type='hidden' name='x_login' value='bubba' >
--
Best regards,
Mark Geisinger
[EMAIL PROTECTED]
