Security researchers go shopping for free

Security researchers at Microsoft Research and Indiana University say they’ve been able to get products for free or well below the correct price from several major online stores.

In what must have been a fun little shopping spree, the team snapped up electronics, DVDs, digital journal subscriptions, personal health care items and other products from stores using third-party payment services PayPal, Amazon Payments and Google Checkout.

Merchant applications NopCommerce and Interspire, cashier-as-a-service (CaaS) providers such as Amazon Payments and some popular online merchants all contained serious logic flaws leading to inconsistencies in how payment statuses were perceived by the merchants and CaaS providers, says the team.

In some cases, the researchers convinced the web stores they’d paid for an item through Amazon Payment, while actuallybunging the cash into their own merchant account at Amazon.

“We believe that it is difficult to ensure the security of a CaaS-based checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS,” says IU associate professor XiaoFeng Wang.

“This trilateral interaction (between merchant apps, online stores and the CaaS) can be significantly more complicated than typical bilateral interactions between a browser and a server, which have already been found to be fraught with subtle logic bugs.”

Most of the flaws were due to lapses in merchant software, they said, but they also found an error in Amazon Payments’ software development kit that led to the company significantly altering the way it verifies payment notifications.

More of a worry, say the researchers, is that they looked only at the simplest trilateral interactions – and that  real-world applications with more parties, like marketplaces and auctions, could be even more error-prone.

The team now plans to try out a few more money-saving techniques on the retailers.

“An interesting question might be whether we can check out a $1 order and a $10 order and cancel the $1 order to get $10 refunded,” says doctoral student Rui Wang.

But they promise they won’t benefit from their booty: in each case where flaws were found, they reported them, returned the goods and helped fix the flaws.