Amazon fixes freebie glitch

INDIANA U. (US) — A research team exploited a software flaw with leading online sites using third-party payment services like PayPal to receive products for free or at prices they determined.

In some cases they were able to convince the web stores they had paid for an item through cashier-as-a-service (CaaS) provider Amazon Payment while actually making the payment into their own merchant account at Amazon. The group will present details of their findings in May at the Institute of Electrical and Electronics Engineers’ annual Symposium on Security and Privacy in Oakland, Calif.

Leading merchant applications NopCommerce and Interspire, cashier-as-a-service providers such as Amazon Payments, and some popular online merchants all contained serious logic flaws that would allow malicious users to exploit inconsistencies in how payment statuses were perceived by the merchants and CaaS providers (Amazon Payments, PayPal, and Google Checkout).

In each case where flaws were found the researchers reported their findings to the affected parties, returned any property received, and worked with merchants to correct the flaws.

“We believe that it is difficult to ensure the security of a CaaS-based checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS,” says XiaoFeng Wang, study co-author and associate professor of informatics and computing at Indiana University.

“This trilateral interaction (between merchant apps, online stores, and the CaaS) can be significantly more complicated than typical bilateral interactions between a browser and a server, which have already been found to be fraught with subtle logic bugs.”

Most of the flaws were due to lapses in merchant software, the researchers say, but responsibility also fell on the CaaSs. In one case the researchers discovered an error in Amazon Payments’ software development kit that led to the company significantly altering the way it verifies payment notifications.

More troubling, the report notes, is that the preliminary study touched only on the simplest trilateral interactions and not on other real-world applications that involve even more parties, like marketplaces and auctions, which the researchers now believe could be even more error-prone.

“This calls for further security studies about such complicated multi-party web applications,” says lead author Rui Wang, a doctoral student. “Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems. We believe this study takes the first step in the new security problem space that hybrid web applications bring.”

The research group, which also included Shuo Chen and Shaz Qadeer of Microsoft Research in Redmond, Wash., says it now hopes to explore whether similar flaws can be found that would allow malicious users to purchase two items at extremely different prices and then return the cheaper one while receiving a refund for the more expensive item.

“An interesting question might be whether we can check out a $1 order and a $10 order and cancel the $1 order to get $10 refunded,” Rui Wang adds.

In January Rui Wang and XiaoFeng Wang, his doctoral adviser, and Shuo Chen, the Microsoft researcher, were part of a team that uncovered Facebook vulnerabilities that allowed malicious websites to access and share private user data. Facebook later confirmed it had repaired the vulnerabilities.

Earlier this year informatics doctoral student Rui Wang, left, and associate professor XiaoFeng Wang uncovered a Facebook security flaw and assisted in fixing it. (Credit: Indiana University)

More news from Indiana University:

chat3 Comments


  1. Powerful Computer

    What’s wrong with simply sticking to money, or at least, with credit cards? I read from a blog that it’s such futile for people to discover stuff not even worth discovering or at least given time. When we do this it feels like you’re just making a square version of wheel just because you like how it’s seen. Curiosity sometimes kills.

  2. Lisa

    There are lots of new payment options popping in SV, more peer to peer options like you see on airbnb, Listia or PoundPay. Going be lots of problems with these, but could offer better solutions in the long term.

  3. Nathaniel

    This just goes to show that you have to be really careful when selecting a payment processor. Not only that, the smart thing to do is to keep an eye out for news that pops up about the processor being used. A Google alert set to “processor fraud” or “processor hack” is a simple solution that could save a big head ache later.

We respect your privacy.