An article at CNN Money shows that some of the major shopping cart providers, Amazon, Google and Paypal have software flaws. Working with an attorney to conduct their testing ethically, researchers from from Indiana University and Microsoft (MSFT, Fortune 500) Research showed flaws that resulted in the merchant being paid less than the full price or not being paid at all and then received the items. They have returned the items to the merchants and worked with them to harden their systems.
I think we assume that a huge player like Amazon, Google or Paypal has designed their product with security in mind, but thanks to these guys, we see that isn’t always the case. Hopefully, these researchers are the only ones smart enough to fool these systems. Also, if these researchers were able to redirect funds into their accounts instead of the merchants, this method could be applied as a Man in the Middle attack to victimize both the buyer and the merchant in non-SSL/TLS transactions.
It’s a good lesson to never take for granted that your IT systems are not foolproof. Audit results and put checks and balances in place to catch irregularities if they occur. Be on your game. You know the criminals are.
Nice to see some more quality ethical hacking à la firesheep going on out there…