Feeds

Exploit-wielding boffins go on free online shopping binge

World's biggest e-commerce sites wide open

Secure remote control for conventional and virtual desktops

Computer scientists have documented serious flaws in software running some of the world's biggest e-commerce sites and shown how they can be exploited to receive DVDs, digital journals, and other products for free or at sharply reduced prices not authorized by the sellers.

The findings, laid out in a paper to be presented at next month's IEEE Symposium on Security and Privacy, is an indictment of the software makers, the e-commerce sites, and the third-party cashiers used to process payments. By exploiting the buggy programming interfaces the three parties use to work together, the researchers were able to defraud sites including Buy.com, JR.com, and LinuxJournalStore.com. (They later canceled the transactions or returned the items to work around legal and ethical constraints.)

The researchers, from Microsoft and Indiana University, said the vulnerabilities stem from the interconnected communication among the end user making a purchase, the online merchants, and the cashier-as-a-service providers such as PayPal, Amazon Payments, and Google Checkout. The “trilateral interaction” is so complex that the two most popular e-commerce programs used to coordinate the communications can easily be fooled into approving the transactions for free, or at a tiny fraction of the price being charged.

“Unfortunately, the trilateral interaction can be significantly more complicated than typical bilateral interactions between a browser and a server, as in traditional web applications, which have already been found to be fraught with subtle logic bugs,” the researchers wrote. “Therefore, we believe that in the presence of a malicious shopper who intends to exploit knowledge gaps between the merchant and the CaaS, it is difficult to ensure security of a CaaS-based checkout system.”

One technique they used to get items for free was to set up their own Amazon seller account and then purchase an item from a merchant that uses the Amazon payment system. At time of checkout, they altered the data their browser sent to the server so that the payment was credited to their own seller account, rather than the account controlled by the merchant.

A separate method involved the cloning of a digital token PayPal Express uses to uniquely identify a particular payment and injecting it into the process of a different order. The sleight of hand caused Buy.com to skip the payment process altogether during the placement of the second order, allowing the researchers to receive the item at no cost.

Yet another attack worked by exploiting a logic flaw in the system used by PayPal that failed to confirm the gross amount of payment from the buyer. This allowed a fictitious shopper the researchers called Mark to make a payment of $1.76 to a seller they called Jeff and to then alter the amount reported to the Jeff's server to $17.76.

“Interestingly, Jeff's invoice actually showed a payment of $17.76,” the researchers reported. “There was no indication that the real payment was $1.76.”

The insecurity stems from bugs in the two leading e-commerce software packages, which are the open-source NopCommerce and the commercial Interspire Shopping Cart. By examining the source code or installing it on lab servers, they were able to identify the flaws and figure out practical ways to exploit them.

Armed with that knowledge, they then set their sights on closed-source proprietary software used by Buy.com and JR.com by conducting so-called blackbox exploit analyses on the two sites.

They said the software they analyzed was vulnerable largely because it was designed to be flexible enough to work with a variety of online merchants and payment processors. As a result, they exposed web-based APIs that were easy to manipulate.

“The adversary can invoke these APIs in an arbitrary order, set argument values for his calls at will, sign messages with his own signature, and memorize messages received from other parties to replay later,” the researchers wrote.

But they said the payment processors were also culpable. They called out Amazon Payments specifically for a “serious error” in its software developer kit that allowed attackers to provide their own digital certificates during online transactions so they bypassed legitimate certificates used during a verification process.

The researchers included Rui Wang and XiaoFeng Wang of Indiana University and Shuo Chen and Shaz Qadeer or Microsoft. They said they reported the vulnerabilities to the sites and companies involved and all have either fixed the flaws or declared the fixes “top priorities.” A PDF of their paper is here. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.