Back to all reports
High Severity
CVSS 8.8

Critical Vulnerability Report: SEPA Direct Debit Payment System Validation Issue

November 15, 2024

Summary

A significant vulnerability has been identified in Dropbox's SEPA Direct Debit payment system that allows premium subscription activation without proper IBAN validation. This could potentially violate EU financial regulations around payment verification and pose risks of unauthorized IBAN usage.

CVSS Score: 8.8 (High)

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: High

    • The vulnerability is currently being discussed in a private Telegram group with 10,000 members.

    Technical Details

    The current implementation allows:

  • Premium subscription activation using any IBAN without proper verification
  • Bypass of standard payment controls via VPN (tested with Italy, postal code 00185)
  • Immediate access to Dropbox Essentials Plus + 1TB Add-on + Replay (€366 value)

    • Regulatory Implications

    The EU's new Instant Payments Regulation mandates:

  • Verification between IBAN and account holder name for all SEPA transactions
  • Implementation deadline of October 2025 for payment service providers
  • Mandatory payee verification for all Euro transactions

    • Business Impact

    Potential Financial Implications

  • Some revenue loss from failed SEPA mandates for invalid IBANs
  • Possible regulatory scrutiny under new EU payment regulations
  • Processing fees for failed Direct Debit returns

    • Customer Trust Issues

  • Risk of unauthorized IBAN usage in payment systems
  • Potential for fraudulent subscription activations
  • Customer complaints about unauthorized charges

    • Proof of Concept

    Video demonstration includes:

  • VPN connection to Italy (00185)
  • IBAN entry without verification
  • Premium feature activation
  • Successful bypass of payment controls

    • Recommended Fixes

    Based on the new EU regulations:

  • Implement IBAN verification:

    • - Account holder name validation

    - Integration with verification services like SurePay or Signicat

    - Real-time IBAN validation before subscription activation

  • Follow payment processing best practices:

    • - Verify payment before service provisioning

    - Implement proper transaction monitoring

    Disclosure Timeline

  • Public disclosure date: 18/12/2024
  • Timeline may be extended if remediation requires additional time

    • Conclusion

    While the exact responsibility for IBAN validation between payment service providers and merchants requires clarification, this vulnerability potentially exposes both regulatory compliance risks and revenue leakage through failed SEPA mandates. Swift implementation of proper verification measures would help mitigate these risks.

    Proof of Concept Video Attached