(Press-News.org) BLOOMINGTON, Ind. -- Internet security researchers at Indiana University and Microsoft Research have exploited software flaws in leading online stores that use third-party payment services PayPal, Amazon Payments and Google Checkout to receive products for free or at prices far below the advertised purchase price.
The research group that included IU Bloomington School of Informatics and Computing Associate Professor XiaoFeng Wang and doctoral student Rui Wang, as the lead author, was able to receive electronics, DVDs, digital journal subscriptions, personal health care items and other products either free or at prices the group itself determined.
Leading merchant applications NopCommerce and Interspire, cashier-as-a-service (CaaS) providers such as Amazon Payments and some popular online merchants all contained serious logic flaws that would allow malicious users to exploit inconsistencies in how payment statuses were perceived by the merchants and CaaS providers (Amazon Payments, PayPal and Google Checkout). The researchers in some cases were able to convince the web stores they had paid for an item through Amazon Payment while actually making the payment into their own merchant account at Amazon.
"We believe that it is difficult to ensure the security of a CaaS-based checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS," XiaoFeng Wang said. "This trilateral interaction (between merchant apps, online stores and the CaaS) can be significantly more complicated than typical bilateral interactions between a browser and a server, which have already been found to be fraught with subtle logic bugs."
Most of the flaws were due to lapses in merchant software, they said, but responsibility also fell on the CaaSs. In one case the researchers discovered an error in Amazon Payments' software development kit that led to the company significantly altering the way it verifies payment notifications.
More troubling, the report notes, is that the preliminary study touched only on the simplest trilateral interactions and not on other real-world applications that involve even more parties, like marketplaces and auctions, which the researchers now believe could be even more error-prone.
"This calls for further security studies about such complicated multi-party web applications," said Rui Wang. "Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems. We believe this study takes the first step in the new security problem space that hybrid web applications bring."
The research group, which also included Shuo Chen and Shaz Qadeer of Microsoft Research in Redmond, Wash., said it now hopes to explore whether similar flaws can be found that would allow malicious users to purchase two items at extremely different prices and then return the cheaper one while receiving a refund for the more expensive item.
"An interesting question might be whether we can check out a $1 order and a $10 order and cancel the $1 order to get $10 refunded," Rui Wang added.
In each case where flaws were found the researchers reported their findings to the affected parties, received acknowledgements from the parties, returned any property received, and worked with them to correct the flaws.
In January 2011 Rui Wang and XiaoFeng Wang, his doctoral adviser, and Shuo Chen, the Microsoft researcher, were part of a team that uncovered Facebook vulnerabilities that allowed malicious websites to access and share private user data. Facebook later confirmed it had repaired the vulnerabilities. (Original press release here: http://newsinfo.iu.edu/news/page/normal/17192.html) XiaoFeng Wang is also acting director of the IU Center for Security Informatics and is an affiliated researcher at IU's Center for Applied Cybersecurity Research.
Their current work, "How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores," will be formally presented in May at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif. The research paper can be viewed here: http://www.informatics.indiana.edu/xw7/papers/caas-oakland-final.pdf.
INFORMATION:
For more information or to speak with Rui Wang or XiaoFeng Wang, please contact Steve Chaplin, University Communications, at 812-856-1896 or stjchap@indiana.edu.
IU informaticists uncover online security flaws, receive free products
Research to be presented at upcoming IEEE security symposium
2011-04-02
ELSE PRESS RELEASES FROM THIS DATE:
Social Candy Announces Its Online Service For Creating & Managing Facebook Fan Pages For Businesses
2011-04-02
Social Candy, Inc. announces its online subscription service, enabling companies to personalize their Facebook Fan Pages with video, graphics, custom content, integrated product catalogs and special "Fan Only" Promotions through a unique Facebook-Friendly template system. Its flexible architecture and easy-to-use interface allows businesses of all skill levels to customize Facebook Fan Page and improve their social media marketing campaigns.
"We have listened to Facebook business users, and many of them don't have the technical and financial resources to embrace the ...
IBEX scientists isolate mysterious 'ribbon' of energy and particles that wraps around heliosphere
2011-04-02
DURHAM, N.H. – In a paper to be published in the April 10, 2011, issue of The Astrophysical Journal, scientists on NASA's Interstellar Boundary Explorer (IBEX) mission, including lead author Nathan Schwadron and others from the University of New Hampshire, isolate and resolve the mysterious "ribbon" of energy and particles the spacecraft discovered in the heliosphere – the huge bubble that surrounds our solar system and protects us from galactic cosmic rays.
The finding, which overturns 40 years of theory, provides insight into the fundamental structure of the heliosphere, ...
Veteran Publicist Bobbi Cowan Forms Strategic Partnership with Social Media Firm Kaboodle Ventures
2011-04-02
Los Angeles-based Public Relations Professional Bobbi Cowan announces this week a new strategic social media collaboration with Arizona-based Kaboodle Ventures, LLC.
The new alliance will provide clients with a full array of Organic SEO & Social Media made easy packages and solutions for everyone. From initial setup to ongoing Facebook, Twitter, MySpace, YouTube presence, distribute podcast feeds, promotional videos, press releases, audience development and event marketing across the Social Media landscape.
Kaboodle Ventures currently reps, are a very impressive ...
Scientists discover new drug target for inflammatory bowel disease: cytokine (IL-23)
2011-04-02
A new discovery published in the April 2011 issue of Journal of Leukocyte Biology (http://www.jleukbio.org) raises hope that new treatments for illnesses like Crohn's disease and ulcerative colitis are on the horizon. That's because they've identified IL-23, a cytokine used by the immune system to ward off disease, as a major contributor to the inflammation that is the hallmark of these illnesses. With this information, it is now possible to develop new treatments that stop or reduce the damaging effects of IL-23, potentially bringing relief to millions of people with inflammatory ...
Sequential treatment with entecavir and lamivudine results in rebound of hepatitis B virus
2011-04-02
A two-year trial of entecavir followed by lamivudine (LAM) in patients with chronic hepatitis B virus (HBV) infection resulted in a virologic rebound rate of 24% and 12% drug-resistance rate. Patients who continued on entecavir therapy throughout the study period had undetectable HBV DNA at the two-year endpoint. Details of this trial are published in the April issue of Hepatology, a journal published by Wiley-Blackwell on behalf of the American Association for the Study of Liver Diseases.
The World Health Organization (WHO) estimates that more than 2 billion people worldwide ...
The Beverly Hills Playhouse announces Acting Classes NYC with Veteran Broadway Actor Cotter Smith
2011-04-02
The Beverly Hills Playhouse acting school proudly introduces their new teacher Cotter Smith who teaches acting classes in New York at 154 Christopher St., New York, NY 10014. If you are located in New York and are looking for acting classes NYC then you have a great opportunity to be trained at the Beverly Hills Playhouse Acting School.
The Beverly Hills Playhouse has four major locations:
Beverly Hills - 254 S Robertson Blvd, Beverly Hills, CA 90211 : (323) 657-5966
Los Angeles - Skylight Theatre, 1816 N. Vermont Ave, Los Angeles, CA 90027 : (323) 657-5966
New ...
Intelligent design: Engineered protein fragment blocks the AIDS virus from entering cells
2011-04-02
In what could be a potential breakthrough in the battle against AIDS and a major development in the rational design of new drugs, scientists have engineered a new protein that prevents the virus from entering cells. This protein is based on a naturally occurring protein in the body that protects cells from viruses, except the man-made version does not cause inflammation and other side effects at the dosages needed to inhibit AIDS. This discovery was published in the April 2011 issue of The FASEB Journal (http://www.fasebj.org).
"This is science fiction made reality. ...
Expanding the degrees of surface freezing
2011-04-02
UPTON, NY — As part of the quest to form perfectly smooth single-molecule layers of materials for advanced energy, electronic, and medical devices, researchers at the U.S. Department of Energy's Brookhaven National Laboratory have discovered that the molecules in thin films remain frozen at a temperature where the bulk material is molten. Thin molecular films have a range of applications extending from organic solar cells to biosensors, and understanding the fundamental aspects of these films could lead to improved devices.
The study, which appears in the April 1, 2011, ...
4imprint UK's Helping Hand Programme, '300 Bags Full'
2011-04-02
PRIME is the only charity in the UK aimed at helping older people to set up their own business as a way of getting back to work. Established by Prince Charles as a sister charity to The Prince's Trust, PRIME helps the growing number of people in the 50+ age group who need to continue working, or get back into work after losing their job, by helping them to set up their own businesses. "Being a small charity, we don't have the resources to do everything we'd like to do," confirms Ian Stobie, Marketing and PR Manager for PRIME. "We have a huge amount of useful material on ...
New tool makes programs more efficient without sacrificing safety functions
2011-04-02
Computer programs are incorporating more and more safety features to protect users, but those features can also slow the programs down by 1,000 percent or more. Researchers at North Carolina State University have developed a software tool that helps these programs run much more efficiently without sacrificing their safety features.
"These safety features – or meta-functions – can slow a program down so much that software developers will often leave them out entirely," says Dr. James Tuck, an assistant professor of electrical and computer engineering at NC State and leader ...
LAST 30 PRESS RELEASES:
Giant rats could soon fight illegal wildlife trade by sniffing out elephant tusk and rhino horn
Spin current observations from organic semiconductor side
Alcohol consumption among non-human animals may not be as rare as previously thought, say ecologists
Survey: Dangerous gap in knowledge about pancreatic cancer among adults under age 50
Women entering menopause later in life at greater risk for asthma
Sinuses prevented prehistoric croc relatives from deep diving
Spirited away: Key protein aids transport within plant cells
Britain’s brass bands older than we thought and invented by soldiers from the Napoleonic Wars, new study reveals
The Lancet: Health threats of climate change reach record-breaking levels, as experts call for trillions of dollars spent on fossil fuels to be redirected towards protecting people’s health, lives and
‘Weekend warrior’ exercise pattern may equal more frequent sessions for lowering cognitive decline risk
Physical activity of any intensity linked to lower risk of death after dementia diagnosis
Brain changes seen in lifetime cannabis users may not be causal
For the love of suckers: Volunteers contribute to research on key freshwater fishes
Bill and Mary Anne Dingus commit $1M to fund Human Impacts on the Earth Fund at Rice
Most patients can continue GLP-1 anti-obesity drugs before surgery
Computational tool developed to predict immunotherapy outcomes for patients with metastatic breast cancer
Cerebral embolic protection by geographic region
12 new Oriental weevil species discovered using advanced imaging tools
Ultrasound can be used as search and rescue tool for the brain
Department of Defense funds study of gene therapy for muscular degeneration
People’s exposure to toxic chemicals declined in the U.S. following listing under California law
Trauma, homelessness afflict gender affirming care patients at higher rates
New $5 million DoE award supports KU startup’s green hydrogen energy research
A navigation system for microswimmers
Study finds early TAVR can be beneficial for patients with asymptomatic severe aortic stenosis
Implantable microparticles can deliver two cancer therapies at once
Early intervention in patients with asymptomatic severe aortic stenosis and myocardial fibrosis falls short of expected benefits
The surprising reason a classical computer beat a quantum computer at its own game
Researchers Aim To Get Leg Up on Bone Repair with 3D-Printed Femur
Transforming patient care: study finds bedside interdisciplinary rounds boost satisfaction for patients and providers
[Press-News.org] IU informaticists uncover online security flaws, receive free productsResearch to be presented at upcoming IEEE security symposium