Feeds

Exploit-wielding boffins go on free online shopping binge

World's biggest e-commerce sites wide open

Top 5 reasons to deploy VMware with Tegile

Computer scientists have documented serious flaws in software running some of the world's biggest e-commerce sites and shown how they can be exploited to receive DVDs, digital journals, and other products for free or at sharply reduced prices not authorized by the sellers.

The findings, laid out in a paper to be presented at next month's IEEE Symposium on Security and Privacy, is an indictment of the software makers, the e-commerce sites, and the third-party cashiers used to process payments. By exploiting the buggy programming interfaces the three parties use to work together, the researchers were able to defraud sites including Buy.com, JR.com, and LinuxJournalStore.com. (They later canceled the transactions or returned the items to work around legal and ethical constraints.)

The researchers, from Microsoft and Indiana University, said the vulnerabilities stem from the interconnected communication among the end user making a purchase, the online merchants, and the cashier-as-a-service providers such as PayPal, Amazon Payments, and Google Checkout. The “trilateral interaction” is so complex that the two most popular e-commerce programs used to coordinate the communications can easily be fooled into approving the transactions for free, or at a tiny fraction of the price being charged.

“Unfortunately, the trilateral interaction can be significantly more complicated than typical bilateral interactions between a browser and a server, as in traditional web applications, which have already been found to be fraught with subtle logic bugs,” the researchers wrote. “Therefore, we believe that in the presence of a malicious shopper who intends to exploit knowledge gaps between the merchant and the CaaS, it is difficult to ensure security of a CaaS-based checkout system.”

One technique they used to get items for free was to set up their own Amazon seller account and then purchase an item from a merchant that uses the Amazon payment system. At time of checkout, they altered the data their browser sent to the server so that the payment was credited to their own seller account, rather than the account controlled by the merchant.

A separate method involved the cloning of a digital token PayPal Express uses to uniquely identify a particular payment and injecting it into the process of a different order. The sleight of hand caused Buy.com to skip the payment process altogether during the placement of the second order, allowing the researchers to receive the item at no cost.

Yet another attack worked by exploiting a logic flaw in the system used by PayPal that failed to confirm the gross amount of payment from the buyer. This allowed a fictitious shopper the researchers called Mark to make a payment of $1.76 to a seller they called Jeff and to then alter the amount reported to the Jeff's server to $17.76.

“Interestingly, Jeff's invoice actually showed a payment of $17.76,” the researchers reported. “There was no indication that the real payment was $1.76.”

The insecurity stems from bugs in the two leading e-commerce software packages, which are the open-source NopCommerce and the commercial Interspire Shopping Cart. By examining the source code or installing it on lab servers, they were able to identify the flaws and figure out practical ways to exploit them.

Armed with that knowledge, they then set their sights on closed-source proprietary software used by Buy.com and JR.com by conducting so-called blackbox exploit analyses on the two sites.

They said the software they analyzed was vulnerable largely because it was designed to be flexible enough to work with a variety of online merchants and payment processors. As a result, they exposed web-based APIs that were easy to manipulate.

“The adversary can invoke these APIs in an arbitrary order, set argument values for his calls at will, sign messages with his own signature, and memorize messages received from other parties to replay later,” the researchers wrote.

But they said the payment processors were also culpable. They called out Amazon Payments specifically for a “serious error” in its software developer kit that allowed attackers to provide their own digital certificates during online transactions so they bypassed legitimate certificates used during a verification process.

The researchers included Rui Wang and XiaoFeng Wang of Indiana University and Shuo Chen and Shaz Qadeer or Microsoft. They said they reported the vulnerabilities to the sites and companies involved and all have either fixed the flaws or declared the fixes “top priorities.” A PDF of their paper is here. ®

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.