Dutch security firm finds holes in shopping basket

A flaw in a commonly used e-commerce software package could be exploited by unscrupulous online shoppers to rip off online...

A flaw in a commonly used e-commerce software package could be exploited by unscrupulous online shoppers to rip off online shopping sites

The software, ShopFactory, from Australian company 3D3.com, is designed to help merchants create online shopping baskets to store items that visitors select for purchase.

However Dutch security firm Trust Factory discovered a serious flaw in the way pricing information is retrieved within ShopFactory. According to Trust Factory chief executive officer Coen Aupema, 3D3.com's software stores the pricing information within Internet cookies in an unencrypted form.

Trust Factory security architect Richard Van den Berg noticed the problem on the Web site of his local sandwich shop, which used 3D3.com's software for online orders.

When the Netherlands moved to the Euro in January, Van den Berg noticed that his usual sandwich order had become more expensive - sandwiches were paid for in euros, but the prices on the order form at the shop's Web site were still set to guilder.

Since ShopFactory stored pricing cookies on customers' computers, rather than on a central database, Van den Berg believed it was impossible for the sandwich shop to update product prices on its own.

Even worse, the software accepted the cookie provided. Van den Berg said that anyone with a text editor and knowledge about where to locate the cookie on their computer could adjust the price of the items they ordered, thus giving themselves a potentially massive discount.

"Instead of storing prices, they could store the IDs of items in the cart and pull prices out of the store's own database," he added.

3D3.com chief executive officer Steffan Klein acknowledged the problem and said the company was working on fixing it. 3D3.com has issued version 5.8 of its software, which resolves the problem by disabling the ability of the software to read information from cookies when the cookie creation feature was disabled.

On its support site 3D3.com issued a notice on the cookie problem. "This cookie can be adjusted by a malicious user - meaning a user could modify the price of a product in the cookie and then order the product with the reduced price via your shop. We apologise to our users for this oversight."

3D3.com did not believe the security issue would cause users too many problems, as the online shop would still need to authorise a purchase.

"In the real world this fraud could be compared to switching the price tag on a product picked in a store - hoping that the person at the register won't mind that you are trying to pay one dollar for an item which in fact should cost $1000," said 3D3.com's Web site notice.

Read more on IT risk management