Experts
in the field of computer systems reported serious flaws in the software
some of the largest shopping sites, and showed how they can be attacked
in order to get DVD, magazines in electronic form, and other products
free of charge or at heavily discounted prices, which have not been
established vendors.
The
studies are carried over onto the paper to be presented at the
Symposium IEEE Symposium on Security and Privacy in the next month,
include charges against the creators of software, websites, online sales
and third-party companies taking payments from customers. Using
bugs programming interfaces that share the above 3 sides, researchers
managed to fool sites like Buy.com, JR.com and LinuxJournalStore.com. (Later, researchers have canceled the deal and returned the goods received, to circumvent the legal and ethical restrictions.)
Researchers
from Microsoft and Indiana University have shown that vulnerability
originated in internetwork communication between the end user completes a
purchase, online retailers and service providers-tellers, such as
PayPal, Amazon Payments and Google Checkout. "Trilateral
cooperation" is so complex that the two most popular e-commerce
software programs used as binding elements can be easily deceived and
can approve the deal without a transfer of money or transfer a small
portion of money, which is very different from the present price of the
purchased product.
"Unfortunately,
the three-way interaction can be much more complicated than the
conventional two-way interaction between the browser and server, as in
conventional Web applications. They have been found susceptible to
subtle logic errors" - the researchers wrote. "Therefore,
we believe that the suspected presence of malicious customer who wants
to take advantage of the gap between the seller and the CaaS, extremely
difficult to guarantee the safety control system of payments."
One
of the methods they used to get free goods, was that the researchers
have created your own account seller on Amazon and then bought a thing
from another seller using the payment system Amazon. Upon
reaching the check-out counters, they have changed the data sent by the
server to the browser so that the payment was credited on their own
account seller, not on account of the seller acquired things.
Separate
method consisted in cloning a digital token that PayPal Express uses to
uniquely identify a specific payment, and his input into the process of
registration of another order. This
focus leads to the fact that Buy.com misses the payment process at the
time of second order, which allowed researchers to obtain purchased item
for free.
Another
attack uses a logical flaw in the system used by PayPal, which failed
to confirm the total amount of payment from the buyer. This
allowed a fictitious buyer, whom the researchers called Mark, to pay $
1.76 to the seller, whom they named Jeff, and then increase the amount
specified in the server Jeff, to $ 17.76.
"It is interesting that the invoice Jeff confirmed payment of $ 17.76," - the researchers reported. "There was no indication that in fact the payment was $ 1.76.
Problems
begin in the two most common software packages for trading on the
Internet - NopCommerce open source and commercial Interspire Shopping
Cart. By
examining the source code or installing it on servers, laboratories, it
became possible to detect vulnerabilities and to find practical ways to
use them.
Armed with this knowledge, they aimed for their own software with closed source used Buy.com, and JR.com.
They
said that parsed the software was very vulnerable because it was
designed to be sufficiently flexible and versatile to work with a
variety of Internet shopping and payment systems. As a result, they discovered a programming interface that was easy to manipulate.
"The
hackers' side can use this API to illegal orders, set the price value
of their calls as they wish, to sign the message signature and store
messages received from other parties, to play in the future" - the
researchers wrote.
The researchers noted that the payment systems are also responsible for it. In
the Amazon Payments has been discovered a bug in the software, which
allows an attacker to provide its digital certificates are used during
the verification process.
Researchers were Rui Wang and Xiaofeng Wang of the University of Indiana and Shuo Chen and Shaz Qadeer of Microsoft. They
said that they informed the investigated sites and companies about
vulnerabilities and all the companies and sites have either corrected
the error, or have announced the creation of patches of his "top
priority".
Working in PDF format can be found here.
|