Skip Links

Security Researchers Exploit Logic Flaws to Shop for Free Online

According to a research paper, security researchers exploited logic flaws in third-party cashiers like Amazon Payments, Google Checkout, and PayPal. They proved that a malicious shopper could purchase "an arbitrarily-set price, shop for free after paying for one item, or even avoid payment."

By Ms. Smith on Mon, 04/11/11 - 1:57pm.

Hello, online shoppers! Today we have new and improved products from online stores at the low, low price of free! That's right, security researchers discovered how to exploit security holes in a software development kit from Amazon Payments so that anyone with a computer and about $25 can be a "qualified attacker." If a person exploited logic flaws, then that malicious shopper could purchase at "an arbitrarily-set price, shop for free after paying for one item, or even avoid payment."

Security researchers from Indiana University Bloomington and Microsoft Research published a very interesting paper called How to Shop for Free Online [PDF]. Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer studied security implications to merchant websites that accepted payments through third-party cashiers like Amazon Payments, Google Checkout, and PayPal. The researchers called these third-party payment services "Cashier-as-a-Service or CaaS." They found "serious logic flaws that could be exploited to cause inconsistencies between the states of the CaaS and the merchant" when they studied merchant applications like open-source NopCommerce and commercial Interspire, online stores like Buy.com and JR.com, and the CaaS provider Amazon Payments. According to Microsoft Research¸ the researchers responsibly alerted all affected parties to the vulnerabilities.

In a nutshell, the attacker as a shopper gives conflicting information to the payment system and to the merchant. Indiana University Ph.D. student Rui Wang explained how this works to CNET's Elinor Mills by comparing a malicious shopper to a "naughty kid" playing his parents off each other during separate one-on-one phone calls. This kid may tell slightly different versions of his story to his mom during a phone call than he does when on a one-on-one call to his dad. The kid "eventually gets an approval that he does not deserve. It all depends on whether mom and dad are smart and careful enough."

During the course of their study, researchers used the exploits to score on various items like a couple DVDs, agility cream, digital journals, an alcohol tester, and a charger. The research paper spells out the details of how the researchers were able to exploit vulnerabilities in third-party service integration with CaaS-Based web stores. In one flaw and exploit example, the research showed that anyone can open a seller account on Amazon. This same person as an attacker needed only $25 to purchase a MasterCard gift card and could then fake all the personal information like name, phone number and email address. Then the attacker could pay his own seller account, but check out the order from a store belonging to a different seller. The paper also states that Google Checkout was the most complicated of the four CaaS-integration applications studied, but researchers were able to add items to the cart after the checkout button was clicked.

Online retailer Buy.com has over 12 million customers in seven countries. As attackers, the researchers were able to skip the payment step in a second order while still convincing Buy.com that the second order was successfully paid. At JR.com, the flaw allowed an attacker website to sell items from JR.com at arbitrary prices. In other attacks, if the item "purchased" was a digital item, it was immediately downloaded. If it was a physical item needing shipped, the attacker could use a fake name at a valid postal address not linked to them.

Amazon Payments addressed and fixed the vulnerable software development kit, but is working on fixing the Amazon Simple Pay vulnerability. LinuxJournalStore contacted software vendor Interspire and, after the researcher's help, fixed the bug in the latest version on BigCommerce.com. Open-source NopCommerce bugs were fixed in relation to PayPal Standard, but Amazon will need to address the Amazon Simple Pay bug. Buy.com and JR.com did not report their progress updates to the researchers.

Yet according to "How to Shop for Free Online," this research only scratched the surface of security problems of "hybrid web applications," leaving other functionality such as cancel, return, subscription, auction, and marketplace as yet unstudied. "An interesting question might be, for example, whether we can check out a $1 order and a $10 order, and cancel the $1 order to get $10 refunded. We are also considering the security challenges that come with web service integrations in other scenarios, e.g., social networks and web authentication services."

In May, the researchers are scheduled to present their research paper at the IEEE Symposium on Security and Privacy.

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic