Vault/Stored Payment Methods are not saved per store

[lilbumblebear]

Preconditions (*)

1. Magento 2.4.3
2. Braintree Payment Method (with Stored Cards)

Steps to reproduce (*)

1. Create 2 websites (ex: A and B)
2. Stores - Configuration - Customers - Customer Configuration - Share customer accounts --> global
3. Reindex and cache clear
4. Admin - Stores - Configuration - Sales - Payment Methods - Scope - Default Scope - Configure Braintree with Sandbox account credentials and Save
5. Change scope to other Store view - Configure Braintree with different Sandbox account credentials and save (Different payment credentials for each website (testing with braintree, with 2 different sandbox accounts)
6. Reindex and clear cache
7. Create 1 customer
8. (on Admin) Create an order on website A for customer 1 and store card info
9. (on Admin) Start creating an order on website B for customer 1 and the stored card from website A appears
10. Front end - Login to Website B using same customer - Checkout page - Stored card payment method is displayed however payment is not working.

Expected result (*)

1. Card information should be saved per store, not globally for the customer
2. I should not be able to see stored cards unless I am checking out in the same store in which they were saved.

Actual result (*)

1. I am able to see the stored card from website A when I choose payment information for website B
2. If I try to process the order, there is an error (expected, because the processor credentials are different)

---

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @lilbumblebear. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[m2-assistant]

Hi @engcom-Delta. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Add label Issue: Confirmed once verification is complete.

• 6. Make sure that automatic system confirms that report has been added to the backlog.

[lilbumblebear]

any updates on this? seems like there is a security issue here with stored payments being shown on stores without the same processor credentials

[hostep]

@lilbumblebear: I fail to see how this is an issue when the customer account is shared across multiple websites?
If it would happen when the "Customers > Customer Configuration > Account Sharing Options" setting is set to "Per Website", then this would be a valid issue. But that's not the case here if I understand you correctly?
The creditcard info belongs to the customer, not to the payment method, right?

[lilbumblebear]

@hostep I understand your point, however, a vault payment token should technically be tied to the customer AND store in which it was used.

Sharing customer accounts across websites does not mean the websites share payment processor information.

Ex: Braintree credentials are saved at the store_view level. Let's say a store owner has 2 brands, each brand has its own website. Most processors require different accounts for each of these websites in order to display the correct brand in the transaction description. The customers can order from either website, with a shared account, but cannot use the same vault tokens because they are different processor accounts.

[hostep]

Hmm okay, this is pretty complex apparently and far beyond my knowledge 😄

@nathanjosiah: since this could be a potential security related issue, I'm including you here, but if you're not the right person, feel free to include people in here that know more about this functionality.

[nathanjosiah]

I don't think there are any security issues here. Based on the description of the problem it does look like a valid bug but I expect the only unexpected/bad behavior with this would be an error message if a token was used for a different payment account than what it was created for.

CC @vkublytskyi

[m2-assistant]

Hi @engcom-November. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Add label Issue: Confirmed once verification is complete.

• 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-November]

Verified the issue on Magento 2.4-develop branch and the issue is reproducible.
Admin:

Front end -
Stored card info is displayed however payment is not working. Page not loading.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.magento.com/browse/AC-2016 is successfully created for this GitHub issue.

[m2-assistant]

✅ Confirmed by @engcom-November. Thank you for verifying the issue.
Issue Available: @engcom-November, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[fredden]

@nathanjosiah I think there is a security issue here.

Consider a case where the payment gateway gives weak / colliding tokens. This is fine, because the token means nothing to us, and the association with actual payment happens at the payment gateway side. Let's say (for ease of discussion here) that the payment gateway gives sequential numeric identifiers per account as its tokens.

With the above, let's follow the flow of two users in Magento using the Vault.

1. Alice creates an account in Store1 (configured with Sandbox1 payment gateway account).
2. Alice goes through checkout in Store1 and saves their card, getting a token of Vault1 from the payment gateway.
3. Bob creates an account in Store2 (configured with Sandbox2 payment gateway account).
4. Bob goes through checkout in Store2 and saves their card, getting a token of Vault1 from the payment gateway.
5. Alice goes through checkout in Store1 using their saved card. The payment gateway sees Vault1 for Sandbox1 and takes payment. All is well.
6. Bob goes through checkout in Store2 using their saved card. The payment gateway sees Vault1 for Sandbox2 and takes payment. All is well.
7. Alice goes through checkout in Store2 using their saved card. The payment gateway sees Vault1 for Sandbox2 and takes payment from the wrong person. Magento thinks all is well, as the payment gateway reports that it has successfully transferred funds.

Another similar problem could exist if the website administrator changes the payment gateway account credentials. For example (following on from above):

1. The website administrator changes the payment details for Store1 to use payment gateway account Production1.
2. Charlie goes through checkout and saves their card, getting a token of Vault1 from the payment gateway.
3. Alice goes through checkout in Store1 using their saved card. The payment gateway sees Vault1 for Production1 and takes payment from the wrong person. Magento thinks all is well, as the payment gateway reports that it has successfully transferred funds.

From what's being described here, no collisions have been detected so far. (This is most likely because payment gateways are likely producing globally unique tokens.) When there's no collision, the payment gateway is rejecting the token and the user gets an error.

Yes, the token belongs to the user, but also to the payment method / gateway account. When these match what's on the store being visited, the Vault payment methods / options should show. When either is not applicable, the Vault payment methods should not be displayed.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.magento.com/browse/AC-2901 is successfully created for this GitHub issue.

[m2-assistant]

✅ Confirmed by @sidolov. Thank you for verifying the issue.
Issue Available: @sidolov, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[fredden]

@sidolov why was this closed? The labels suggest that this has been 'done', but I don't see any details here about what has been changed in order to fix this.

[engcom-Bravo]

Hello,

As I can see this issue got fixed in the scope of the internal Jira ticket AC-2901 by the internal team
Related commits: https://github.com/search?q=repo%3Amagento%2Fmagento2+AC-2901&type=commits

Based on the Jira ticket, the target version is 2.4.7-beta2.

Thanks