Shop online – For free

A recent research study conducted by Indiana University Bloomington and Microsoft Research has revealed that it is possible to bypass controls in online shopping portals and possibly purchase for free.

The research basically states that whenever cashier as a service(CaaS) model is used, (for instance payment gateway links), it is possible for the attacker to send separate messages to the merchant which is in contradiction to the message from the payment gateway.



During a checkout process, communications happen between the CaaS and the merchant. In addition these two entities also communicate with the shopper independently. This trilateral interaction is meant to coordinate the internal states of the merchant and the CaaS, since either party has only a partial view of the entire transaction. In the hands of a malicious shopper who intends to exploit knowledge gaps between the merchant and the CaaS, it is difficult to ensure security of a CaaS-based checkout system with certain logic flaws.



The research concluded that by exploiting the logic flaws, a malicious shopper can purchase at an arbitrarily-set price, shop for free after paying for one item, or even avoid payment.



Full link to the paper at https://research.microsoft.com/pubs/145858/caas-oakland-final.pdf