No, I am NOT encouraging you to scam your favorite e-store. This is for awareness only, please don’t do anything foolish or illegal.
The Register reports that researchers have been able to defraud e-commerce sites including Buy.com, JR.com, and LinuxJournalStore.com using simple URL and data manipulation techniques. One technique they used to get items for free was to set up their own Amazon seller account and then purchase an item from a merchant that uses the Amazon payment system. At checkout time, they altered the data their browser sent to the server so that the payment was credited to their own seller’s account, rather than the account controlled by the selling merchant.
Another method involved cloning a digital PayPal Express token used to uniquely identify a particular payment, and inject it into the process of a different order. This caused Buy.com to skip the payment process altogether during the placement of the second order, allowing them to receive the item at no cost.
Yet another attack worked by exploiting a logic flaw in the system used by PayPal that failed to confirm the gross amount of the payment from the buyer. This allowed a fictitious shopper the researchers called Mark (no relation) to make a payment of $1.76 to a seller, and then to alter the amount reported to the server to appear to have been $17.76. The seller’s invoice actually showed a payment of $17.76.
The insecurities reported stem from bugs in two leading e-commerce software packages, open-source NopCommerce, and the commercial Interspire Shopping Cart. The researchers installed these tools on lab servers and examined the source code to identify the flaws and to figure out practical ways to exploit them. They then set their sites on closed-source proprietary software used by Buy.com and JR.com by conducting “blackbox exploit analysis” on the two sites.
They said the software they analyzed was vulnerable largely because it was designed to be flexible enough to work with a variety of online merchants and payment processors, exposing web-based APIs that were easy to manipulate. They called out Amazon Payments specifically for a “serious error” in its software developer kit that allowed attackers to provide their own digital certificates during online transactions, bypassing legitimate certificates used during a verification process. Convenience and flexibility once again interferes with security. The attacker can invoke these APIs in an arbitrary order, set argument values for their calls at will, sign messages with their own validating signature, and memorize messages received from other parties for later replay.
Their detailed findings will be presented in a paper at next month’s IEEE Symposium on Security and Privacy. A PDF of their paper is available here.