[Translation] Amazon is working on bugs
A group of researchers conducted a practical attack on the largest e-commerce sites that use external payment systems to obtain goods for free or at a fixed price.
The “hole” is safe when processing online payments allowed them to purchase electronics, DVDs, electronic subscriptions for periodicals, hygiene products and other products at prices they set for themselves. Researchers informed the relevant stores about the security hole and helped fix it. (Source: Indiana University, Indiana University )
In some cases, they managed to convince the online retailers that they paid for the purchase through the Amazon Cashier-as-a-service, CaaS external payment service, while they paid to their own commercial account at Amazon. Researchers plan to provide details in May [2011] at the Symposium on Security and Privacy in Auckland, California, under the auspices of the Electrical Engineering Institute ( Institute of Electrical and Electronics Engineers ).
Leading commercial applications NopCommerce and Interspire , external payment service providers such as Amazon Payments , and some of the popular online shopping sites have serious flaws in data processing logic. This allows attackers to take advantage of the inconsistency in the transfer of payment status between trading platforms and external payment services ( Amazon Payments , PayPal and Google Checkout ).
')
In each of the cases mentioned, the researchers informed the affected parties about the vulnerabilities found, returned the illegally received goods and consulted the services about the essence of the errors found and how to correct them.
According to the researchers, most of the vulnerabilities are found in trading applications, but part of the responsibility lies with external payment services. In one of the cases, a vulnerability was discovered in the Amazon Payments' SDK, which caused the company to seriously change the way it checks payment notifications.
As stated in the report, the preliminary study affected only simple three-part interactions and did not consider options for involving other parties, like auctions and complex trading platforms. Most likely, such options are even more vulnerable.
According to the lead author of this study, graduate student Rui Wang,
The research team, which also includes Shuo Chen and Shaz Qadeer from Microsoft Research (Redmond, Washington), expects to consider similar vulnerabilities in which an attacker can make two purchases with a large price difference, then return cheaper, and get a refund for more dear.
In January [2011], Rui Wang and XiaoFeng Wang, his academic advisor, as well as Shuo Chen, a Microsoft researcher, were members of a research team that found vulnerabilities on Facebook . This vulnerability allowed malicious sites to obtain and distribute personal user data. Later, Facebook confirmed and corrected the errors found.
The “hole” is safe when processing online payments allowed them to purchase electronics, DVDs, electronic subscriptions for periodicals, hygiene products and other products at prices they set for themselves. Researchers informed the relevant stores about the security hole and helped fix it. (Source: Indiana University, Indiana University )
In some cases, they managed to convince the online retailers that they paid for the purchase through the Amazon Cashier-as-a-service, CaaS external payment service, while they paid to their own commercial account at Amazon. Researchers plan to provide details in May [2011] at the Symposium on Security and Privacy in Auckland, California, under the auspices of the Electrical Engineering Institute ( Institute of Electrical and Electronics Engineers ).
Leading commercial applications NopCommerce and Interspire , external payment service providers such as Amazon Payments , and some of the popular online shopping sites have serious flaws in data processing logic. This allows attackers to take advantage of the inconsistency in the transfer of payment status between trading platforms and external payment services ( Amazon Payments , PayPal and Google Checkout ).
')
In each of the cases mentioned, the researchers informed the affected parties about the vulnerabilities found, returned the illegally received goods and consulted the services about the essence of the errors found and how to correct them.
“We believe that when working with external payment services, it is very difficult to ensure that there is no attacker who can take advantage of the vulnerabilities found,”reported XiaoFeng Wang, co-author of the study and professor of computer science and computer technology at Indiana University.
“In addition, three-part interaction (between a trading application, an online store and an external payment service) is more complicated than a two-link between a browser and a server, so it detects cunning logical errors.”
According to the researchers, most of the vulnerabilities are found in trading applications, but part of the responsibility lies with external payment services. In one of the cases, a vulnerability was discovered in the Amazon Payments' SDK, which caused the company to seriously change the way it checks payment notifications.
As stated in the report, the preliminary study affected only simple three-part interactions and did not consider options for involving other parties, like auctions and complex trading platforms. Most likely, such options are even more vulnerable.
According to the lead author of this study, graduate student Rui Wang,
“Multi-tier web applications will require further security work. We analyzed the complex mechanisms of systems based on external payment services and concluded that security issues should be raised at the stage of development and testing of such systems. We see our work as the first step in a new area of hybrid web application security issues. ”
The research team, which also includes Shuo Chen and Shaz Qadeer from Microsoft Research (Redmond, Washington), expects to consider similar vulnerabilities in which an attacker can make two purchases with a large price difference, then return cheaper, and get a refund for more dear.
“It would be interesting if we made an order for $ 1 and for $ 10, canceled an order for $ 1, and the money was returned to us for an order for $ 10”, -adds rui wang.
In January [2011], Rui Wang and XiaoFeng Wang, his academic advisor, as well as Shuo Chen, a Microsoft researcher, were members of a research team that found vulnerabilities on Facebook . This vulnerability allowed malicious sites to obtain and distribute personal user data. Later, Facebook confirmed and corrected the errors found.
Source: https://habr.com/ru/post/117039/
All Articles