Featured Research

from universities, journals, and other organizations

Informaticists uncover online security flaws, receive free products

Date:
March 31, 2011
Source:
Indiana University
Summary:
Researchers have exploited software flaws in leading online stores that use third-party payment services PayPal, Amazon Payments and Google Checkout to receive products for free or at prices far below the advertised purchase price.

Internet security researchers at Indiana University and Microsoft Research have exploited software flaws in leading online stores that use third-party payment services PayPal, Amazon Payments and Google Checkout to receive products for free or at prices far below the advertised purchase price.

The research group that included IU Bloomington School of Informatics and Computing Associate Professor XiaoFeng Wang and doctoral student Rui Wang, as the lead author, was able to receive electronics, DVDs, digital journal subscriptions, personal health care items and other products either free or at prices the group itself determined.

Leading merchant applications NopCommerce and Interspire, cashier-as-a-service (CaaS) providers such as Amazon Payments and some popular online merchants all contained serious logic flaws that would allow malicious users to exploit inconsistencies in how payment statuses were perceived by the merchants and CaaS providers (Amazon Payments, PayPal and Google Checkout). The researchers in some cases were able to convince the web stores they had paid for an item through Amazon Payment while actually making the payment into their own merchant account at Amazon.

"We believe that it is difficult to ensure the security of a CaaS-based checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS," XiaoFeng Wang said. "This trilateral interaction (between merchant apps, online stores and the CaaS) can be significantly more complicated than typical bilateral interactions between a browser and a server, which have already been found to be fraught with subtle logic bugs."

Most of the flaws were due to lapses in merchant software, they said, but responsibility also fell on the CaaSs. In one case the researchers discovered an error in Amazon Payments' software development kit that led to the company significantly altering the way it verifies payment notifications.

More troubling, the report notes, is that the preliminary study touched only on the simplest trilateral interactions and not on other real-world applications that involve even more parties, like marketplaces and auctions, which the researchers now believe could be even more error-prone.

"This calls for further security studies about such complicated multi-party web applications," said Rui Wang. "Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems. We believe this study takes the first step in the new security problem space that hybrid web applications bring."

The research group, which also included Shuo Chen and Shaz Qadeer of Microsoft Research in Redmond, Wash., said it now hopes to explore whether similar flaws can be found that would allow malicious users to purchase two items at extremely different prices and then return the cheaper one while receiving a refund for the more expensive item.

"An interesting question might be whether we can check out a $1 order and a $10 order and cancel the $1 order to get $10 refunded," Rui Wang added.

In each case where flaws were found the researchers reported their findings to the affected parties, received acknowledgements from the parties, returned any property received, and worked with them to correct the flaws.

In January 2011 Rui Wang and XiaoFeng Wang, his doctoral adviser, and Shuo Chen, the Microsoft researcher, were part of a team that uncovered Facebook vulnerabilities that allowed malicious websites to access and share private user data. Facebook later confirmed it had repaired the vulnerabilities. XiaoFeng Wang is also acting director of the IU Center for Security Informatics and is an affiliated researcher at IU's Center for Applied Cybersecurity Research.

Their current work, "How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores," will be formally presented in May at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif.


Story Source:

The above story is based on materials provided by Indiana University. Note: Materials may be edited for content and length.


Cite This Page:

Indiana University. "Informaticists uncover online security flaws, receive free products." ScienceDaily. ScienceDaily, 31 March 2011. <www.sciencedaily.com/releases/2011/03/110331114903.htm>.
Indiana University. (2011, March 31). Informaticists uncover online security flaws, receive free products. ScienceDaily. Retrieved April 24, 2014 from www.sciencedaily.com/releases/2011/03/110331114903.htm
Indiana University. "Informaticists uncover online security flaws, receive free products." ScienceDaily. www.sciencedaily.com/releases/2011/03/110331114903.htm (accessed April 24, 2014).

Share This



More Computers & Math News

Thursday, April 24, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Monkeys Are Better At Math Than We Thought, Study Shows

Monkeys Are Better At Math Than We Thought, Study Shows

Newsy (Apr. 23, 2014) A Harvard University study suggests monkeys can use symbols to perform basic math calculations. Video provided by Newsy
Powered by NewsLook.com
High Court to Hear Dispute of TV Over Internet

High Court to Hear Dispute of TV Over Internet

AP (Apr. 22, 2014) The future of Aereo, an online service that provides over-the-air TV channels, hinges on a battle with broadcasters that goes before the U.S. Supreme Court on Tuesday. (April 22) Video provided by AP
Powered by NewsLook.com
Aereo Takes on Broadcast TV Titans in Supreme Court Today

Aereo Takes on Broadcast TV Titans in Supreme Court Today

TheStreet (Apr. 22, 2014) Aereo heads to the Supreme Court today to fight for its right to stream broadcast TV over the Internet -- against broadcasters who say the start-up infringes upon copyright law. TheStreet Deputy Managing Editor Leon Lazaroff explains the importance of the case in the TV industry and details what the outcome of it could mean for broadcasters and for cloud storage services -- as Aereo allows its subscribers to not just watch live TV shows but also store content to a DVR in the cloud. Video provided by TheStreet
Powered by NewsLook.com
Lytro Introduces 'Illum,' A Professional Light-Field Camera

Lytro Introduces 'Illum,' A Professional Light-Field Camera

Newsy (Apr. 22, 2014) The light-field photography engineers at Lytro unveiled their next innovation: a professional DSLR-like camera called "Illum." Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins