Announcing CVE-2018-12076

I am announcing a vulnerability that I found in he UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer’s MarketCard balance, and also could lead to Customer Information Disclosure.

The data (as submitted to Mitre) is below:

Vulnerability Announcement

Suggested description

A vulnerability in the UPC bar code of the Avanti Markets MarketCard couldĀ  allow an unauthenticated, local attacker to access funds within theĀ  customer’s MarketCard balance, and also could lead to Customer Information Disclosure. The vulnerability is due to lack of proper validation of the UPC bar code present on the MarketCard. An attacker could exploit this vulnerability by generating a copy of a customer’s bar code. An exploit could allow the attacker to access all funds located within the MarketCard or allow unauthenticated disclosure of information.

Additional Information

This can be a serious vulnerability as it allows an attacker to directly steal funds from a MarketCard Customer. The fix for this vulnerability could be a simple dual authentication from the Customer at time of purchase from the Avanti Markets via Google Authenticator.

Vulnerability Type

Incorrect Access Control

Vendor of Product

Avanti Markets

Affected Product Code Base

Avanti MarketCard – All versions are affected

Affected Component

Avanti Markets MarketCard Authentication

Attack Type

Physical

Impact Information Disclosure

True

Attack Vectors

To exploit this vulnerability an attacker must generate a Bar-Code with the “UPC A” format of the Customer’s MarketCard.

Has vendor confirmed or acknowledged the vulnerability?

True

Discoverer

Trae Horton

Remediation

Avanti Market has implemented a pin to act with the MarketCard to successfully implement 2FA.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12076

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12076