[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABuTPCxE2dFUoyXyPvHSYYD-TxnNPfu04TyeiY=migPduPH-Zg@mail.gmail.com>
Date: Mon, 17 Aug 2015 10:00:49 +0100
From: John Smith <yiyozif@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Severe weakness in checkout provider Borderfree allows users
to easily control the prices they pay on ecommerce websites
I've identified a volnurability in some ecommerce websites, that seems to
come from the fact that all of them use a 3rd party checkout system called
Borderfree (www.borderfree.com).
According to their website, Borderfree's technology allows websites to show
prices to automatically foreign customers in their foreign currency, pay
taxes and duties and other things. They also replace the website's checkout
page with their own checkout. A lot of high-end brands in the USA seem to
work this way.
My investigation shows that the integration between the website and the
Borderfree service is done using a proxy server which identifies the IP
address location, and injects the necessary script onto the pages to do all
the price conversions etc.
The problem is that this script is poorly written, and holds the users'
shopping cart details in an object generated on the fly, completely on the
client side, with no validation done when this object is sent to
Borderfree's servers to invoke the checkout page. This makes it very easy
to manipulate the price on the client side, using just a simple debug tool,
and since no validation is done - you can just decide how much you want to
pay for each product ...
So far I've validated this weakness on several sites:
- www.lastcall.com
- www.dunelondon.com
- www.soletrader.co.uk
- www.neimanmarcus.com
But I'm sure this exists in many other sites, since Borderfree seem to use
pretty much the same code base everywhere.
I've tried to contact both Borderfree and some of the websites, but no one
answered... My main concern, judging from the generally poor quality of the
code in combination with the fact that it's all on the client side, is that
it may have other security volnurabilities as well which may compromise the
machines of innocent users who shop on a well known website.
If you want to try it for yourself, here are a few easy steps:
1) Go to one of the websites, say www.soletrader.co.uk. It's a UK-based
shoe retailer, so if you're using a UK IP address, make sure you click the
"International shipping" banner and choose a different country
2) Add a few nice shoes to the shopping cart
3) Go to checkout
4) Open the browser's debugging tools
5) Go to the "Sources" tab, expand assets.moovsweb.com until you reach
main.js
6) Go to line 4974 and put a breakpoint (below the price initialization
code)
7) Click "checkout" (you should soon hit the breakpoint)
8) Go to the "Consule" tab and write: price = "XX" (XX should be the price
you think is fair for this item :-)) and hit Enter
9) Release the debugger
10) You should now reach the checkout with your chosen price for the
product. Continue as usual from here
11) Sit back and wait for your product to arrive ...
It's that easy, not to say lame, but it works.
Enjoy!
JonnyBoy
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists