PRESS-NEWS.org - Press Release Distribution
PRESS RELEASES DISTRIBUTION

IU informaticists uncover online security flaws, receive free products

Research to be presented at upcoming IEEE security symposium

IU informaticists uncover online security flaws, receive free products
2011-04-02
(Press-News.org) BLOOMINGTON, Ind. -- Internet security researchers at Indiana University and Microsoft Research have exploited software flaws in leading online stores that use third-party payment services PayPal, Amazon Payments and Google Checkout to receive products for free or at prices far below the advertised purchase price.

The research group that included IU Bloomington School of Informatics and Computing Associate Professor XiaoFeng Wang and doctoral student Rui Wang, as the lead author, was able to receive electronics, DVDs, digital journal subscriptions, personal health care items and other products either free or at prices the group itself determined.

Leading merchant applications NopCommerce and Interspire, cashier-as-a-service (CaaS) providers such as Amazon Payments and some popular online merchants all contained serious logic flaws that would allow malicious users to exploit inconsistencies in how payment statuses were perceived by the merchants and CaaS providers (Amazon Payments, PayPal and Google Checkout). The researchers in some cases were able to convince the web stores they had paid for an item through Amazon Payment while actually making the payment into their own merchant account at Amazon.

"We believe that it is difficult to ensure the security of a CaaS-based checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS," XiaoFeng Wang said. "This trilateral interaction (between merchant apps, online stores and the CaaS) can be significantly more complicated than typical bilateral interactions between a browser and a server, which have already been found to be fraught with subtle logic bugs."

Most of the flaws were due to lapses in merchant software, they said, but responsibility also fell on the CaaSs. In one case the researchers discovered an error in Amazon Payments' software development kit that led to the company significantly altering the way it verifies payment notifications.

More troubling, the report notes, is that the preliminary study touched only on the simplest trilateral interactions and not on other real-world applications that involve even more parties, like marketplaces and auctions, which the researchers now believe could be even more error-prone.

"This calls for further security studies about such complicated multi-party web applications," said Rui Wang. "Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems. We believe this study takes the first step in the new security problem space that hybrid web applications bring."

The research group, which also included Shuo Chen and Shaz Qadeer of Microsoft Research in Redmond, Wash., said it now hopes to explore whether similar flaws can be found that would allow malicious users to purchase two items at extremely different prices and then return the cheaper one while receiving a refund for the more expensive item.

"An interesting question might be whether we can check out a $1 order and a $10 order and cancel the $1 order to get $10 refunded," Rui Wang added.

In each case where flaws were found the researchers reported their findings to the affected parties, received acknowledgements from the parties, returned any property received, and worked with them to correct the flaws.

In January 2011 Rui Wang and XiaoFeng Wang, his doctoral adviser, and Shuo Chen, the Microsoft researcher, were part of a team that uncovered Facebook vulnerabilities that allowed malicious websites to access and share private user data. Facebook later confirmed it had repaired the vulnerabilities. (Original press release here: http://newsinfo.iu.edu/news/page/normal/17192.html) XiaoFeng Wang is also acting director of the IU Center for Security Informatics and is an affiliated researcher at IU's Center for Applied Cybersecurity Research.

Their current work, "How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores," will be formally presented in May at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif. The research paper can be viewed here: http://www.informatics.indiana.edu/xw7/papers/caas-oakland-final.pdf.



INFORMATION:

For more information or to speak with Rui Wang or XiaoFeng Wang, please contact Steve Chaplin, University Communications, at 812-856-1896 or stjchap@indiana.edu.

[Attachments] See images for this press release:
IU informaticists uncover online security flaws, receive free products

ELSE PRESS RELEASES FROM THIS DATE:

Social Candy Announces Its Online Service For Creating & Managing Facebook Fan Pages For Businesses

2011-04-02
Social Candy, Inc. announces its online subscription service, enabling companies to personalize their Facebook Fan Pages with video, graphics, custom content, integrated product catalogs and special "Fan Only" Promotions through a unique Facebook-Friendly template system. Its flexible architecture and easy-to-use interface allows businesses of all skill levels to customize Facebook Fan Page and improve their social media marketing campaigns. "We have listened to Facebook business users, and many of them don't have the technical and financial resources to embrace the ...

IBEX scientists isolate mysterious 'ribbon' of energy and particles that wraps around heliosphere

2011-04-02
DURHAM, N.H. – In a paper to be published in the April 10, 2011, issue of The Astrophysical Journal, scientists on NASA's Interstellar Boundary Explorer (IBEX) mission, including lead author Nathan Schwadron and others from the University of New Hampshire, isolate and resolve the mysterious "ribbon" of energy and particles the spacecraft discovered in the heliosphere – the huge bubble that surrounds our solar system and protects us from galactic cosmic rays. The finding, which overturns 40 years of theory, provides insight into the fundamental structure of the heliosphere, ...

Veteran Publicist Bobbi Cowan Forms Strategic Partnership with Social Media Firm Kaboodle Ventures

2011-04-02
Los Angeles-based Public Relations Professional Bobbi Cowan announces this week a new strategic social media collaboration with Arizona-based Kaboodle Ventures, LLC. The new alliance will provide clients with a full array of Organic SEO & Social Media made easy packages and solutions for everyone. From initial setup to ongoing Facebook, Twitter, MySpace, YouTube presence, distribute podcast feeds, promotional videos, press releases, audience development and event marketing across the Social Media landscape. Kaboodle Ventures currently reps, are a very impressive ...

Scientists discover new drug target for inflammatory bowel disease: cytokine (IL-23)

2011-04-02
A new discovery published in the April 2011 issue of Journal of Leukocyte Biology (http://www.jleukbio.org) raises hope that new treatments for illnesses like Crohn's disease and ulcerative colitis are on the horizon. That's because they've identified IL-23, a cytokine used by the immune system to ward off disease, as a major contributor to the inflammation that is the hallmark of these illnesses. With this information, it is now possible to develop new treatments that stop or reduce the damaging effects of IL-23, potentially bringing relief to millions of people with inflammatory ...

Sequential treatment with entecavir and lamivudine results in rebound of hepatitis B virus

2011-04-02
A two-year trial of entecavir followed by lamivudine (LAM) in patients with chronic hepatitis B virus (HBV) infection resulted in a virologic rebound rate of 24% and 12% drug-resistance rate. Patients who continued on entecavir therapy throughout the study period had undetectable HBV DNA at the two-year endpoint. Details of this trial are published in the April issue of Hepatology, a journal published by Wiley-Blackwell on behalf of the American Association for the Study of Liver Diseases. The World Health Organization (WHO) estimates that more than 2 billion people worldwide ...

The Beverly Hills Playhouse announces Acting Classes NYC with Veteran Broadway Actor Cotter Smith

2011-04-02
The Beverly Hills Playhouse acting school proudly introduces their new teacher Cotter Smith who teaches acting classes in New York at 154 Christopher St., New York, NY 10014. If you are located in New York and are looking for acting classes NYC then you have a great opportunity to be trained at the Beverly Hills Playhouse Acting School. The Beverly Hills Playhouse has four major locations: Beverly Hills - 254 S Robertson Blvd, Beverly Hills, CA 90211 : (323) 657-5966 Los Angeles - Skylight Theatre, 1816 N. Vermont Ave, Los Angeles, CA 90027 : (323) 657-5966 New ...

Intelligent design: Engineered protein fragment blocks the AIDS virus from entering cells

2011-04-02
In what could be a potential breakthrough in the battle against AIDS and a major development in the rational design of new drugs, scientists have engineered a new protein that prevents the virus from entering cells. This protein is based on a naturally occurring protein in the body that protects cells from viruses, except the man-made version does not cause inflammation and other side effects at the dosages needed to inhibit AIDS. This discovery was published in the April 2011 issue of The FASEB Journal (http://www.fasebj.org). "This is science fiction made reality. ...

Expanding the degrees of surface freezing

2011-04-02
UPTON, NY — As part of the quest to form perfectly smooth single-molecule layers of materials for advanced energy, electronic, and medical devices, researchers at the U.S. Department of Energy's Brookhaven National Laboratory have discovered that the molecules in thin films remain frozen at a temperature where the bulk material is molten. Thin molecular films have a range of applications extending from organic solar cells to biosensors, and understanding the fundamental aspects of these films could lead to improved devices. The study, which appears in the April 1, 2011, ...

4imprint UK's Helping Hand Programme, '300 Bags Full'

2011-04-02
PRIME is the only charity in the UK aimed at helping older people to set up their own business as a way of getting back to work. Established by Prince Charles as a sister charity to The Prince's Trust, PRIME helps the growing number of people in the 50+ age group who need to continue working, or get back into work after losing their job, by helping them to set up their own businesses. "Being a small charity, we don't have the resources to do everything we'd like to do," confirms Ian Stobie, Marketing and PR Manager for PRIME. "We have a huge amount of useful material on ...

New tool makes programs more efficient without sacrificing safety functions

2011-04-02
Computer programs are incorporating more and more safety features to protect users, but those features can also slow the programs down by 1,000 percent or more. Researchers at North Carolina State University have developed a software tool that helps these programs run much more efficiently without sacrificing their safety features. "These safety features – or meta-functions – can slow a program down so much that software developers will often leave them out entirely," says Dr. James Tuck, an assistant professor of electrical and computer engineering at NC State and leader ...

LAST 30 PRESS RELEASES:

Twelve questions to ask your doctor for better brain health in the new year

Microelectronics Science Research Centers to lead charge on next-generation designs and prototypes

Study identifies genetic cause for yellow nail syndrome

New drug to prevent migraine may start working right away

Good news for people with MS: COVID-19 infection not tied to worsening symptoms

Department of Energy announces $179 million for Microelectronics Science Research Centers

Human-related activities continue to threaten global climate and productivity

Public shows greater acceptance of RSV vaccine as vaccine hesitancy appears to have plateaued

Unraveling the power and influence of language

Gene editing tool reduces Alzheimer’s plaque precursor in mice

TNF inhibitors prevent complications in kids with Crohn's disease, recommended as first-line therapies

Twisted Edison: Bright, elliptically polarized incandescent light

Structural cell protein also directly regulates gene transcription

Breaking boundaries: Researchers isolate quantum coherence in classical light systems

Brain map clarifies neuronal connectivity behind motor function

Researchers find compromised indoor air in homes following Marshall Fire

Months after Colorado's Marshall Fire, residents of surviving homes reported health symptoms, poor air quality

Identification of chemical constituents and blood-absorbed components of Shenqi Fuzheng extract based on UPLC-triple-TOF/MS technology

'Glass fences' hinder Japanese female faculty in international research, study finds

Vector winds forecast by numerical weather prediction models still in need of optimization

New research identifies key cellular mechanism driving Alzheimer’s disease

Trends in buprenorphine dispensing among adolescents and young adults in the US

Emergency department physicians vary widely in their likelihood of hospitalizing a patient, even within the same facility

Firearm and motor vehicle pediatric deaths— intersections of age, sex, race, and ethnicity

Association of state cannabis legalization with cannabis use disorder and cannabis poisoning

Gestational hypertension, preeclampsia, and eclampsia and future neurological disorders

Adoption of “hospital-at-home” programs remains concentrated among larger, urban, not-for-profit and academic hospitals

Unlocking the mysteries of the human gut

High-quality nanodiamonds for bioimaging and quantum sensing applications

New clinical practice guideline on the process for diagnosing Alzheimer’s disease or a related form of cognitive impairment or dementia

[Press-News.org] IU informaticists uncover online security flaws, receive free products
Research to be presented at upcoming IEEE security symposium