CVE-2020-37168

Vulnerability

Overview

Ecommerce Systempay 1.0 contains a critical cryptographic weakness in its payment signature generation. The production secret key is only 16 characters long and is used with SHA1 hashing to sign payment form data. Attackers can intercept the POST request sent to the payment endpoint (https://paiement.systempay.fr/vads-payment/) and extract both the form fields and the corresponding signature [1].

Exploitation

Method

An attacker with network access to the payment flow can capture a legitimate signed request. Using the extracted signature and form data, they can perform an offline brute-force attack against the 16-character secret key. The exploit script iterates through candidate keys, computing SHA1 hashes of the form data concatenated with each key, and compares the result to the captured signature until a match is found [1]. No authentication is required beyond observing a single payment transaction.

Impact

Once the production secret key is recovered, the attacker can forge valid signatures for any modified payment form data. This allows them to alter transaction amounts, redirect funds, or generate fake successful payment responses. The vulnerability is rated CVSS 9.8 (Critical) due to the low complexity of the attack and the high potential for financial fraud [2].

Mitigation

As of the advisory publication, no patch or vendor fix has been confirmed. Systempay users should immediately rotate their production secret keys to longer, randomly generated values and consider migrating to a stronger hashing algorithm (e.g., HMAC-SHA256) to prevent brute-force attacks. The exploit code has been publicly available since February 2020 [1].