April 7, 2011 at 16:56[Translation] Amazon is working on bugs
- Transfer
A group of researchers conducted a practical attack on the largest online trading sites that use external payment acceptance systems to receive goods for free or at a set price.
The “security hole” in processing online payments allowed them to purchase electronics, DVDs, electronic subscriptions for periodicals, hygiene products and other products at prices that they set for themselves. Researchers informed the relevant stores of the security vulnerability found and helped correct it. (Source: Indiana University, Indiana University )
In some cases, they managed to convince online stores that they paid for the purchase through an external payment service ( cashier-as-a-service, CaaS) Amazon Payment, while paid into your own commercial account with Amazon. Researchers plan to provide details in May [2011] at a Symposium on Security and Privacy in Oakland, California, under the auspices of the Institute of Electrical and Electronics Engineers .
Leading commercial applications NopCommerce and Interspire , providers of external payment services such as Amazon Payments , and some popular trading Internet sites have serious flaws in the logic of data processing. This allows attackers to take advantage of the inconsistency when transferring payment statuses between trading floors and external payment services (Amazon Payments , PayPal, and Google Checkout ).
In each case mentioned, the researchers informed the affected parties about the vulnerabilities found, returned the illegally received goods and consulted the services about the essence of the errors found and how to fix them.
According to the researchers, most of the vulnerabilities were found in trading applications, but part of the responsibility lies with external payment services. In one case, a vulnerability was discovered in the Amazon Payments' SDK, which forced the company to seriously change the way it checks payment notifications.
As stated in the report, the preliminary study affected only simple three-link interactions and did not consider options for involving other parties, such as auctions and integrated trading platforms. Most likely, such options are even more vulnerable.
According to the lead author of this study, graduate student Rui Wang,
The research team, which also includes Shuo Chen and Shaz Qadeer from Microsoft Research (Redmond, Washington), intends to consider similar vulnerabilities in which an attacker could make two purchases with a big difference in price, then return cheaper and get a refund for more dear.
In January [2011], Rui Wang and XiaoFeng Wang, its research supervisor, and Shuo Chen, a researcher at Microsoft, were members of a research team that found a vulnerability on Facebook . This vulnerability allowed malicious sites to receive and disseminate personal user data. Facebook later confirmed and corrected the errors found.
The “security hole” in processing online payments allowed them to purchase electronics, DVDs, electronic subscriptions for periodicals, hygiene products and other products at prices that they set for themselves. Researchers informed the relevant stores of the security vulnerability found and helped correct it. (Source: Indiana University, Indiana University )
In some cases, they managed to convince online stores that they paid for the purchase through an external payment service ( cashier-as-a-service, CaaS) Amazon Payment, while paid into your own commercial account with Amazon. Researchers plan to provide details in May [2011] at a Symposium on Security and Privacy in Oakland, California, under the auspices of the Institute of Electrical and Electronics Engineers .
Leading commercial applications NopCommerce and Interspire , providers of external payment services such as Amazon Payments , and some popular trading Internet sites have serious flaws in the logic of data processing. This allows attackers to take advantage of the inconsistency when transferring payment statuses between trading floors and external payment services (Amazon Payments , PayPal, and Google Checkout ).
In each case mentioned, the researchers informed the affected parties about the vulnerabilities found, returned the illegally received goods and consulted the services about the essence of the errors found and how to fix them.
“We believe that when working with external payment services it is very difficult to verify the absence of an attacker who can take advantage of the vulnerabilities found,” -said XiaoFeng Wang, co-author of the study and professor of computer science and computer science at Indiana University.
“In addition, a three-tier interaction (between a trading application, an online store and an external payment service) is more complicated than a two-tier interaction between a browser and a server, so insidious logical errors are detected in it."
According to the researchers, most of the vulnerabilities were found in trading applications, but part of the responsibility lies with external payment services. In one case, a vulnerability was discovered in the Amazon Payments' SDK, which forced the company to seriously change the way it checks payment notifications.
As stated in the report, the preliminary study affected only simple three-link interactions and did not consider options for involving other parties, such as auctions and integrated trading platforms. Most likely, such options are even more vulnerable.
According to the lead author of this study, graduate student Rui Wang,
“Multi-tier web applications will require further security work. We analyzed the complex mechanisms of systems based on external payment services and came to the conclusion that security issues should be raised at the stage of development and testing of such systems. We consider our work as the first step in a new area of security challenges for hybrid web applications. ”
The research team, which also includes Shuo Chen and Shaz Qadeer from Microsoft Research (Redmond, Washington), intends to consider similar vulnerabilities in which an attacker could make two purchases with a big difference in price, then return cheaper and get a refund for more dear.
“It would be interesting if we placed an order for $ 1 and $ 10, canceled the order for $ 1, and the funds were returned to us for the order for $ 10,”adds Rui Wang.
In January [2011], Rui Wang and XiaoFeng Wang, its research supervisor, and Shuo Chen, a researcher at Microsoft, were members of a research team that found a vulnerability on Facebook . This vulnerability allowed malicious sites to receive and disseminate personal user data. Facebook later confirmed and corrected the errors found.