Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Thursday, 2024-03-28, 11:16 PM
Main » 2011 » April » 16 » The biggest shopping sites are completely open to attack
8:08 AM
The biggest shopping sites are completely open to attack
Experts in the field of computer systems reported serious flaws in the software some of the largest shopping sites, and showed how they can be attacked in order to get DVD, magazines in electronic form, and other products free of charge or at heavily discounted prices, which have not been established vendors.

The studies are carried over onto the paper to be presented at the Symposium IEEE Symposium on Security and Privacy in the next month, include charges against the creators of software, websites, online sales and third-party companies taking payments from customers. Using bugs programming interfaces that share the above 3 sides, researchers managed to fool sites like Buy.com, JR.com and LinuxJournalStore.com. (Later, researchers have canceled the deal and returned the goods received, to circumvent the legal and ethical restrictions.)

Researchers from Microsoft and Indiana University have shown that vulnerability originated in internetwork communication between the end user completes a purchase, online retailers and service providers-tellers, such as PayPal, Amazon Payments and Google Checkout. "Trilateral cooperation" is so complex that the two most popular e-commerce software programs used as binding elements can be easily deceived and can approve the deal without a transfer of money or transfer a small portion of money, which is very different from the present price of the purchased product.

"Unfortunately, the three-way interaction can be much more complicated than the conventional two-way interaction between the browser and server, as in conventional Web applications. They have been found susceptible to subtle logic errors" - the researchers wrote. "Therefore, we believe that the suspected presence of malicious customer who wants to take advantage of the gap between the seller and the CaaS, extremely difficult to guarantee the safety control system of payments."

One of the methods they used to get free goods, was that the researchers have created your own account seller on Amazon and then bought a thing from another seller using the payment system Amazon. Upon reaching the check-out counters, they have changed the data sent by the server to the browser so that the payment was credited on their own account seller, not on account of the seller acquired things.

Separate method consisted in cloning a digital token that PayPal Express uses to uniquely identify a specific payment, and his input into the process of registration of another order. This focus leads to the fact that Buy.com misses the payment process at the time of second order, which allowed researchers to obtain purchased item for free.

Another attack uses a logical flaw in the system used by PayPal, which failed to confirm the total amount of payment from the buyer. This allowed a fictitious buyer, whom the researchers called Mark, to pay $ 1.76 to the seller, whom they named Jeff, and then increase the amount specified in the server Jeff, to $ 17.76.

"It is interesting that the invoice Jeff confirmed payment of $ 17.76," - the researchers reported. "There was no indication that in fact the payment was $ 1.76.

Problems begin in the two most common software packages for trading on the Internet - NopCommerce open source and commercial Interspire Shopping Cart. By examining the source code or installing it on servers, laboratories, it became possible to detect vulnerabilities and to find practical ways to use them.

Armed with this knowledge, they aimed for their own software with closed source used Buy.com, and JR.com.

They said that parsed the software was very vulnerable because it was designed to be sufficiently flexible and versatile to work with a variety of Internet shopping and payment systems. As a result, they discovered a programming interface that was easy to manipulate.

"The hackers' side can use this API to illegal orders, set the price value of their calls as they wish, to sign the message signature and store messages received from other parties, to play in the future" - the researchers wrote.

The researchers noted that the payment systems are also responsible for it. In the Amazon Payments has been discovered a bug in the software, which allows an attacker to provide its digital certificates are used during the verification process.

Researchers were Rui Wang and Xiaofeng Wang of the University of Indiana and Shuo Chen and Shaz Qadeer of Microsoft. They said that they informed the investigated sites and companies about vulnerabilities and all the companies and sites have either corrected the error, or have announced the creation of patches of his "top priority".

Working in PDF format can be found here.

Views: 98160 | Added by: XakepNews | Rating: 5.0/1
Total comments: 0
Name *:
Email *:
Code *: