lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABuTPCxE2dFUoyXyPvHSYYD-TxnNPfu04TyeiY=migPduPH-Zg@mail.gmail.com>
Date: Mon, 17 Aug 2015 10:00:49 +0100
From: John Smith <yiyozif@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Severe weakness in checkout provider Borderfree allows users
 to easily control the prices they pay on ecommerce websites

I've identified a volnurability in some ecommerce websites, that seems to
come from the fact that all of them use a 3rd party checkout system called
Borderfree (www.borderfree.com).
According to their website, Borderfree's technology allows websites to show
prices to automatically foreign customers in their foreign currency, pay
taxes and duties and other things. They also replace the website's checkout
page with their own checkout. A lot of high-end brands in the USA seem to
work this way.
My investigation shows that the integration between the website and the
Borderfree service is done using a proxy server which identifies the IP
address location, and injects the necessary script onto the pages to do all
the price conversions etc.
The problem is that this script is poorly written, and holds the users'
shopping cart details in an object generated on the fly, completely on the
client side, with no validation done when this object is sent to
Borderfree's servers to invoke the checkout page. This makes it very easy
to manipulate the price on the client side, using just a simple debug tool,
and since no validation is done - you can just decide how much you want to
pay for each product ...
So far I've validated this weakness on several sites:
- www.lastcall.com
- www.dunelondon.com
- www.soletrader.co.uk
- www.neimanmarcus.com
But I'm sure this exists in many other sites, since Borderfree seem to use
pretty much the same code base everywhere.
I've tried to contact both Borderfree and some of the websites, but no one
answered... My main concern, judging from the generally poor quality of the
code in combination with the fact that it's all on the client side, is that
it may have other security volnurabilities as well which may compromise the
machines of innocent users who shop on a well known website.

If you want to try it for yourself, here are a few easy steps:
1) Go to one of the websites, say www.soletrader.co.uk. It's a UK-based
shoe retailer, so if you're using a UK IP address, make sure you click the
"International shipping" banner and choose a different country
2) Add a few nice shoes to the shopping cart
3) Go to checkout
4) Open the browser's debugging tools
5) Go to the "Sources" tab, expand assets.moovsweb.com until you reach
main.js
6) Go to line 4974 and put a breakpoint (below the price initialization
code)
7) Click "checkout" (you should soon hit the breakpoint)
8) Go to the "Consule" tab and write: price = "XX" (XX should be the price
you think is fair for this item :-)) and hit Enter
9) Release the debugger
10) You should now reach the checkout with your chosen price for the
product. Continue as usual from here
11) Sit back and wait for your product to arrive ...

It's that easy, not to say lame, but it works.
Enjoy!

JonnyBoy

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ