Feeds

Exploit-wielding boffins go on free online shopping binge

World's biggest e-commerce sites wide open

Build a business case: developing custom apps

Computer scientists have documented serious flaws in software running some of the world's biggest e-commerce sites and shown how they can be exploited to receive DVDs, digital journals, and other products for free or at sharply reduced prices not authorized by the sellers.

The findings, laid out in a paper to be presented at next month's IEEE Symposium on Security and Privacy, is an indictment of the software makers, the e-commerce sites, and the third-party cashiers used to process payments. By exploiting the buggy programming interfaces the three parties use to work together, the researchers were able to defraud sites including Buy.com, JR.com, and LinuxJournalStore.com. (They later canceled the transactions or returned the items to work around legal and ethical constraints.)

The researchers, from Microsoft and Indiana University, said the vulnerabilities stem from the interconnected communication among the end user making a purchase, the online merchants, and the cashier-as-a-service providers such as PayPal, Amazon Payments, and Google Checkout. The “trilateral interaction” is so complex that the two most popular e-commerce programs used to coordinate the communications can easily be fooled into approving the transactions for free, or at a tiny fraction of the price being charged.

“Unfortunately, the trilateral interaction can be significantly more complicated than typical bilateral interactions between a browser and a server, as in traditional web applications, which have already been found to be fraught with subtle logic bugs,” the researchers wrote. “Therefore, we believe that in the presence of a malicious shopper who intends to exploit knowledge gaps between the merchant and the CaaS, it is difficult to ensure security of a CaaS-based checkout system.”

One technique they used to get items for free was to set up their own Amazon seller account and then purchase an item from a merchant that uses the Amazon payment system. At time of checkout, they altered the data their browser sent to the server so that the payment was credited to their own seller account, rather than the account controlled by the merchant.

A separate method involved the cloning of a digital token PayPal Express uses to uniquely identify a particular payment and injecting it into the process of a different order. The sleight of hand caused Buy.com to skip the payment process altogether during the placement of the second order, allowing the researchers to receive the item at no cost.

Yet another attack worked by exploiting a logic flaw in the system used by PayPal that failed to confirm the gross amount of payment from the buyer. This allowed a fictitious shopper the researchers called Mark to make a payment of $1.76 to a seller they called Jeff and to then alter the amount reported to the Jeff's server to $17.76.

“Interestingly, Jeff's invoice actually showed a payment of $17.76,” the researchers reported. “There was no indication that the real payment was $1.76.”

The insecurity stems from bugs in the two leading e-commerce software packages, which are the open-source NopCommerce and the commercial Interspire Shopping Cart. By examining the source code or installing it on lab servers, they were able to identify the flaws and figure out practical ways to exploit them.

Armed with that knowledge, they then set their sights on closed-source proprietary software used by Buy.com and JR.com by conducting so-called blackbox exploit analyses on the two sites.

They said the software they analyzed was vulnerable largely because it was designed to be flexible enough to work with a variety of online merchants and payment processors. As a result, they exposed web-based APIs that were easy to manipulate.

“The adversary can invoke these APIs in an arbitrary order, set argument values for his calls at will, sign messages with his own signature, and memorize messages received from other parties to replay later,” the researchers wrote.

But they said the payment processors were also culpable. They called out Amazon Payments specifically for a “serious error” in its software developer kit that allowed attackers to provide their own digital certificates during online transactions so they bypassed legitimate certificates used during a verification process.

The researchers included Rui Wang and XiaoFeng Wang of Indiana University and Shuo Chen and Shaz Qadeer or Microsoft. They said they reported the vulnerabilities to the sites and companies involved and all have either fixed the flaws or declared the fixes “top priorities.” A PDF of their paper is here. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?