Authorize.Net: Important MD5 Hash Removal/Disablement

rainhouse · 11 January 2019 17:59

I received the following email from Authorize.Net on January 11, 2019:

Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.

We have identified that you have this feature configured and may be relying on MD5 based transHash in transaction responses for verifying the sender is Authorize.Net.

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key.

Please refer your developer or solution provider to our Transaction Hash Upgrade Guide for more details and information on this change.

Here’s a link to the “Transaction Hash Upgrade Guide”:
https://developer.authorize.net/support/hash_upgrade/

Thanks

bcolflesh · 11 January 2019 20:31

I just got this as well - need an update ASAP or this kills s2Member for our site.

Timothy · 11 January 2019 20:58

Hi, is there anything we need to do on the Plugin side before or after we update our Auth.net account with the new SHA-256 code?

KentMcDonald · 11 January 2019 22:09

This change on Authorize.net will be an issue for our site as well.

rainhouse · 11 January 2019 22:30

Information from Authorize.Net explaining the purpose of MD5:
https://support.authorize.net/s/article/What-is-the-MD5-Hash-Security-feature-and-how-does-it-work

It says the following:

Note that the MD5 Hash option exists for transaction responses sent by means of the Advanced Integration Method (AIM) or the Card Present (CP) implementation methods. However, these methods use Secure Sockets Layer (SSL) to ensure that the transaction response is legitimate, and so it is not as useful for AIM or CP merchants.

I assume that most Authorize.Net setups with s2member use AIM, so I was wondering if the MD5 setting is optional. I removed it within s2member settings, but checkout pages end up showing the following error:

Authorize.Net configuration error. Your Authorize.Net Secret MD5 Hash is not yet configured.

So it seems like Authorize.Net is saying it’s not particularly useful for AIM transactions, but s2member requires its presence nonetheless.

bill · 11 January 2019 22:44

+1 that this seems to be an urgent coming breakage for all/most s2member sites using Authorize.net.

On the plus side, this seems like a fairly simple fix for the developers. In the “upgrade guide” (https://developer.authorize.net/support/hash_upgrade/) they offer a sample function in C#.

I know that the new team will have a gazillion requests coming at them, but this could break sites as early as February. (That link is cagey about when exactly they’ll stop accepting the old MD5 hash.) Please consider making this a priority so no sites break. Thanks!

clavaque · 12 January 2019 15:19

Thanks for the heads-up, guys. I have it high on my list to sort this, and will likely share a hotfix here as soon as I can, so you can have it before the coming release.

Gerard · 12 January 2019 15:40

Yes, I’m a HUGE FAN OF HOTFIXES.

Regular releases are great but having problems or issues fixed asap is arguably #2 on my list.

Yes for this

Timothy · 13 January 2019 02:39

Thanks Cristián!

bcolflesh · 21 January 2019 16:02

Little over 8 business days left in the month - any status update on the hotfix for this? Thank you.

clavaque · 21 January 2019 16:21

Yes. Still working on it. Not forgotten.

I will post something soon.

bcolflesh · 21 January 2019 16:36

Awesome, thank you for the reply!

clavaque · 23 January 2019 19:41

A more clear and detailed announcement from Authorize.Net: https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.

Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months.

bcolflesh · 23 January 2019 20:47

So 6-12 months, lol.

bill · 23 January 2019 21:15

Thanks for this update! 2-3 months gives us all a little time to breathe.

willrich33 · 25 January 2019 07:49

Christian:

How would I know about a hotfix? This affects 2 of my clients.

Do I check here or what?

Willy

clavaque · 25 January 2019 15:13

Yes, I’ll post it here when it’s ready. Krum and I are working on it.

cajporg · 7 February 2019 01:34

I do keep checking back but I find nothing since the post from 12 days ago. Am I missing something?

clavaque · 7 February 2019 02:05

Hi Gregg.

No, you haven’t missed it. There just hasn’t been an update yet. When I have it, this is where I’ll post it.

clavaque · 19 February 2019 03:51

Thank you for your patience! Here’s the fix.

authnet-sha512-fix.zip (29.4 KB)

You’ll see three files in the zip. They go in these folders of s2Member Pro:

s2member-pro/src/includes/ syscon.inc.php
s2member-pro/src/includes/menu-pages/ authnet-ops.inc.php
s2member-pro/src/includes/classes/gateways/authnet/ authnet-utilities.inc.php

Although you should not have any problem from these, it’s always best to make a backup before your test.

Please report anything you find not working, or that could be improved. Your feedback is very appreciated and will be used to improve the fix before implementing it in the next release.

Looking forward to your results!