A flaw in a commonly used e-commerce software package could be
exploited by unscrupulous online shoppers to rip off online
shopping sites
The software, ShopFactory, from Australian company 3D3.com, is
designed to help merchants create online shopping baskets to store
items that visitors select for purchase.
However Dutch security firm Trust Factory discovered a serious flaw
in the way pricing information is retrieved within ShopFactory.
According to Trust Factory chief executive officer Coen Aupema,
3D3.com's software stores the pricing information within Internet
cookies in an unencrypted form.
Trust Factory security architect Richard Van den Berg noticed the
problem on the Web site of his local sandwich shop, which used
3D3.com's software for online orders.
When the Netherlands moved to the Euro in January, Van den Berg
noticed that his usual sandwich order had become more expensive -
sandwiches were paid for in euros, but the prices on the order form
at the shop's Web site were still set to guilder.
Since ShopFactory stored pricing cookies on customers' computers,
rather than on a central database, Van den Berg believed it was
impossible for the sandwich shop to update product prices on its
own.
Even worse, the software accepted the cookie provided. Van den Berg
said that anyone with a text editor and knowledge about where to
locate the cookie on their computer could adjust the price of the
items they ordered, thus giving themselves a potentially massive
discount.
"Instead of storing prices, they could store the IDs of items in
the cart and pull prices out of the store's own database," he
added.
3D3.com chief executive officer Steffan Klein acknowledged the
problem and said the company was working on fixing it. 3D3.com has
issued version 5.8 of its software, which resolves the problem by
disabling the ability of the software to read information from
cookies when the cookie creation feature was disabled.
On its support site 3D3.com issued a notice on the cookie problem.
"This cookie can be adjusted by a malicious user - meaning a user
could modify the price of a product in the cookie and then order
the product with the reduced price via your shop. We apologise to
our users for this oversight."
3D3.com did not believe the security issue would cause users too
many problems, as the online shop would still need to authorise a
purchase.
"In the real world this fraud could be compared to switching the
price tag on a product picked in a store - hoping that the person
at the register won't mind that you are trying to pay one dollar
for an item which in fact should cost $1000," said 3D3.com's Web
site notice.