How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores

Abstract

With the increasing popularity of third-party services integrated in hybrid web applications, come new security challenges posed by the complexity in coordinating the internal states of these individual services and the web client across the Internet. In this paper, we study the security implications of this problem to online merchants that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which we refer to as Cashier-as-a-Service or CaaS. We found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy.com and JR.com) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause the states of the CaaS and the merchant inconsistent. As a result, a malicious shopper can purchase an item at an arbitrarily low price, shop for free after paying for one item, or even completely avoid payment. We reported our findings to the affected parties. They either updated their vulnerable software or continued to work on the fixes with high priorities. We further studied the complexity in finding this type of logic flaws in typical CaaS-based checkout system, and gained a preliminary understanding of the effort that needs to be made to improve the security assurance of such systems during their development and testing processes.