Feeds

Exploit-wielding boffins go on free online shopping binge

World's biggest e-commerce sites wide open

SANS - Survey on application security programs

Computer scientists have documented serious flaws in software running some of the world's biggest e-commerce sites and shown how they can be exploited to receive DVDs, digital journals, and other products for free or at sharply reduced prices not authorized by the sellers.

The findings, laid out in a paper to be presented at next month's IEEE Symposium on Security and Privacy, is an indictment of the software makers, the e-commerce sites, and the third-party cashiers used to process payments. By exploiting the buggy programming interfaces the three parties use to work together, the researchers were able to defraud sites including Buy.com, JR.com, and LinuxJournalStore.com. (They later canceled the transactions or returned the items to work around legal and ethical constraints.)

The researchers, from Microsoft and Indiana University, said the vulnerabilities stem from the interconnected communication among the end user making a purchase, the online merchants, and the cashier-as-a-service providers such as PayPal, Amazon Payments, and Google Checkout. The “trilateral interaction” is so complex that the two most popular e-commerce programs used to coordinate the communications can easily be fooled into approving the transactions for free, or at a tiny fraction of the price being charged.

“Unfortunately, the trilateral interaction can be significantly more complicated than typical bilateral interactions between a browser and a server, as in traditional web applications, which have already been found to be fraught with subtle logic bugs,” the researchers wrote. “Therefore, we believe that in the presence of a malicious shopper who intends to exploit knowledge gaps between the merchant and the CaaS, it is difficult to ensure security of a CaaS-based checkout system.”

One technique they used to get items for free was to set up their own Amazon seller account and then purchase an item from a merchant that uses the Amazon payment system. At time of checkout, they altered the data their browser sent to the server so that the payment was credited to their own seller account, rather than the account controlled by the merchant.

A separate method involved the cloning of a digital token PayPal Express uses to uniquely identify a particular payment and injecting it into the process of a different order. The sleight of hand caused Buy.com to skip the payment process altogether during the placement of the second order, allowing the researchers to receive the item at no cost.

Yet another attack worked by exploiting a logic flaw in the system used by PayPal that failed to confirm the gross amount of payment from the buyer. This allowed a fictitious shopper the researchers called Mark to make a payment of $1.76 to a seller they called Jeff and to then alter the amount reported to the Jeff's server to $17.76.

“Interestingly, Jeff's invoice actually showed a payment of $17.76,” the researchers reported. “There was no indication that the real payment was $1.76.”

The insecurity stems from bugs in the two leading e-commerce software packages, which are the open-source NopCommerce and the commercial Interspire Shopping Cart. By examining the source code or installing it on lab servers, they were able to identify the flaws and figure out practical ways to exploit them.

Armed with that knowledge, they then set their sights on closed-source proprietary software used by Buy.com and JR.com by conducting so-called blackbox exploit analyses on the two sites.

They said the software they analyzed was vulnerable largely because it was designed to be flexible enough to work with a variety of online merchants and payment processors. As a result, they exposed web-based APIs that were easy to manipulate.

“The adversary can invoke these APIs in an arbitrary order, set argument values for his calls at will, sign messages with his own signature, and memorize messages received from other parties to replay later,” the researchers wrote.

But they said the payment processors were also culpable. They called out Amazon Payments specifically for a “serious error” in its software developer kit that allowed attackers to provide their own digital certificates during online transactions so they bypassed legitimate certificates used during a verification process.

The researchers included Rui Wang and XiaoFeng Wang of Indiana University and Shuo Chen and Shaz Qadeer or Microsoft. They said they reported the vulnerabilities to the sites and companies involved and all have either fixed the flaws or declared the fixes “top priorities.” A PDF of their paper is here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.