How to Shop for Free Online
Download this episode
Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the Internet. In this paper, we study the security implications of this problem to merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which we refer to as Cashier-as-a-Service or CaaS. We found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy.com and JR.com) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause inconsistencies between the states of the CaaS and the merchant. [Source]
Interesting, captain. What exactly does this mean? How are these flaws in programming logic exploited by evil shoppers? Most importantly, how can I shop for free?!??
In all seriousness, with the online world becoming increasingly complex with its distributed services communicating over various protocols, information that materializes on end points as plain text, and non-uniform payment service policies—with the cherry on top being non-uniform identity of communicating parties—well, business can get messy. MSR researchers Shuo Chen and Shaz Qadeer, as well as PhD student and key author of this really interesting research paper, Rui Wang, join me for a conversation about the implications of this research(another author of the paper is XiaoFeng Wang of Indiana University Bloomington). Most importantly, however, I try to get them to give me the details about how I can fool online merchants into shipping me goods for free (just kidding!) and what they think is needed to fix this problem in a mathematically precise fashion (static/dynamic analysis, security-based policy languages for CaaS, etc.).
Available formats for this video:
Actual format may change based on video formats available and browser capability.