How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores

Abstract

Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the Internet. In this paper, we study the security implications of this problem to merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which we refer to as Cashier-as-a-Service or CaaS. We found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy.com and JR.com) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause inconsistencies between the states of the CaaS and the merchant. As a result, a malicious shopper can purchase an item at an arbitrarily low price, shop for free after paying for one item, or even avoid payment. We reported our findings to the affected parties. They either updated their vulnerable software or continued to work on the fixes with high priorities. We further studied the complexity in finding this type of logic flaws in typical CaaS-based checkout systems, and gained a preliminary understanding of the effort that needs to be made to improve the security assurance of such systems during their development and testing processes.