SMARTER STRATEGIES

Free Shopping: Security Flaws Found in Major Online Stores

Rebecca Kutzer-Rice | Date: 04-04-11 | Comments

A new study from Indiana University has revealed major security flaws in leading online stores and merchandisers, such as Amazon and PayPal. The researchers were able to manipulate faults to order products like electronics and DVDs at reduced prices and even for free.

If IT security is at the top of your priority list, a new study from Indiana University will further justify all that money spent on risk-reducing protocol. Informatics doctoral student Rui Wang and IU associate professor XiaoFeng Wang manipulated security flaws in online stores, like Amazon and Google Checkout, to order products at reduced prices and even for free.

During the study, the research team received "electronics, DVDs, digital journal subscriptions, personal health care items, and other products" for free or at prices that they determined.

According to the team, major merchant applications like NopCommerce and Interspire, as well as cashier-as-a-service (CaaS) providers such as Amazon Payments, PayPal and Google Checkout, contain security flaws that could allow malicious users to manipulate pricing. The biggest flaws were inconsistencies in payment status updates.

For instance, researchers were able to convince Web merchandisers that they had paid for an item using Amazon Payments, while the payment was in fact being made to their own Amazon merchant account.

"We believe that it is difficult to ensure the security of a CaaS-based checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS," XiaoFeng Wang said. "This trilateral interaction (between merchant apps, online stores and the CaaS) can be significantly more complicated than typical bilateral interactions between a browser and a server, which have already been found to be fraught with subtle logic bugs."

Although the major flaws were found in merchant software, there were also faults in the systems of CaaSes. An error in Amazon Payment's software development kit, for example, decreased the accuracy of payment notifications.

The study only analyzed flaws in simple trilateral interactions, while real-world applications often involve many more parties. According to the researchers, the study has troubling implications for complicated transactions, like marketplaces and auctions.

"This calls for further security studies about such complicated multiparty Web applications," said Rui Wang, an IU Bloomington School of Informatics and Computing doctoral student, according to a statement. "Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems. We believe this study takes the first step in the new security problem space that hybrid Web applications bring."

The team now hopes to examine how these flaws could allow a user to buy two of the same items at different prices and then return the cheaper one for a large refund.

"An interesting question might be whether we can check out a $1 order and a $10 order and cancel the $1 order to get $10 refunded," Rui Wang explained.

In all cases, the researchers informed affected online stores and merchandisers, returned any products received, and worked to help fix security flaws.

XiaoFeng Wang and Rui Wang led the team and were lead authors on the study. They will present their results, "How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores," in May at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif. The paper can be found online.