Shop for free! Researchers cheat PayPal checkout

Rui Wang and XiaoFeng Wang worked to expose e-commerce security flaws.Indiana University doctoral student Rui Wang (left) and associate professor XiaoFeng Wang worked with a team of researchers to expose major security flaws in e-commerce payment systems. By Julianne Pepitone, staff reporter


NEW YORK (CNNMoney) -- A group of security researchers say software flaws in the ways major merchants have implemented payment systems from PayPal, Amazon Payments and Google Checkout allowed them to buy products online for free or at a deep discount.

The researchers, from Indiana University and Microsoft (MSFT, Fortune 500) Research, said "logic flaws" created inconsistencies between the merchant site and the payment service.

As a result, study co-author XiaoFeng Wang said his group was able to procure items like DVDs and electronics chargers by gaming the system in multiple ways. They could add a discount of their choosing, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item.

In some cases, the researchers convinced merchant sites that they had paid for an item in full -- while actually making the payment into their own seller account at Amazon.

The researchers made clear that most of the security lapses were on the third-party merchants' side, not the payment processors'.

In response to the study, PayPal parent eBay (EBAY, Fortune 500) noted that the issue stems from "developers not following proper best practices when integrating payments."

Amazon did not respond to requests for comment. Google said it was looking into the study results, and emphasized that Google Checkout has multiple fraud detection systems.

Wang compared the logic flaws to a naughty child who wants a piece of candy: The child tells the mother that the father said it was OK, and then tells Dad that Mom said it was fine. If the two parents aren't communicating effectively, the kid gets the candy.

"It's convenient for merchants to use these third-party services because then they don't have to build payment platforms themselves," XiaoFeng Wang said. "But that makes the whole system more complicated -- which means more possible bugs."

Wang said the researchers worked with a lawyer to conduct their tests in an ethical and legal way, and the items were returned to the merchants.

The group also immediately reported their findings to the merchants and worked with them to fix the issues, Wang said. He and his colleagues are scheduled to present their paper next month at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif.

Just 15 days after the group released its research paper, Wang said, Amazon released a new set of software development kits to fix bugs -- and mandated that Web stores to upgrade to the new SDKs within 40 days.

But Securisea CEO Josh Daymont warns that these types of issues indicate "a systemic weakness" in these kinds of services.

"Merchants love to use software as a service so they don't have to build payment platforms themselves," said Daymont, whose company specializes in IT security. "So that architecture isn't going away."

However, Daymont notes, companies like Amazon (AMZN, Fortune 500) and Google (GOOG, Fortune 500) have a lot of other things going on -- and they may not always pay enough attention to their payment platforms' back end. Plus, the onus is on merchants to build secure systems on top of those platforms.

"What typically happens is that companies make the decision not to throw more manpower behind these products, and then something like this IU paper comes out," he said. "It's a classic case of security not being considered until after the product has shipped." To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 17,810.06 91.06 0.51%
Nasdaq 4,712.97 11.10 0.24%
S&P 500 2,063.50 10.75 0.52%
Treasuries 2.32 -0.02 -0.86%
Data as of 9:36am ET
Company Price Change % Change
Bank of America Corp... 17.12 0.12 0.71%
Kinder Morgan Inc 39.75 -0.17 -0.43%
Apple Inc 116.47 0.16 0.14%
Intel Corp 35.59 -0.36 -1.00%
Microsoft Corp 47.98 -0.72 -1.48%
Data as of Nov 21

Sections

This arrangement, announced Friday, illustrates how the lines have blurred between traditional TV networks and newfangled options like Netflix. More

The Obama administration is touting that its immigration action will boost wages. But the hike amounts to only $170 a year by 2024. More

Obama doesn't have the authority to create a startup visa, but part of his reform announcement could include a workaround for entrepreneurs: 'parole status.' More

Nearly half of all Americans say there's a chance they'll have to work during a holiday between Thanksgiving and New Year's, according to a new poll. And one in four say they'll have to work whether they want to or not. More

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.