How to Shop for Free Online and Fool Online Merchants into Shipping Goods for Free?

Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an app to coordinate its internal states with those of the component services and the web client across the Internet. In this paper, we study the security implications of this problem to merchant websites that accept payments through […]

Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an app to coordinate its internal states with those of the component services and the web client across the Internet. In this paper, we study the security implications of this problem to merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which we refer to as Cashier-as-a-Service or CaaS. We found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy.com and JR.com) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause inconsistencies between the states of the CaaS and the merchant. [Microsoft Research]

In the video below, MSR researchers Shuo Chen and Shaz Qadeer, as well as PhD student and key author of this really interesting research paper, Rui Wang, join for a conversation about the implications of this research (another author of the paper is XiaoFeng Wang of Indiana University Bloomington).