From full-disclosure Mon Aug 17 09:00:49 2015 From: John Smith Date: Mon, 17 Aug 2015 09:00:49 +0000 To: full-disclosure Subject: [FD] Severe weakness in checkout provider Borderfree allows users to easily control the prices they Message-Id: X-MARC-Message: https://marc.info/?l=full-disclosure&m=143986156612236 I've identified a volnurability in some ecommerce websites, that seems to come from the fact that all of them use a 3rd party checkout system called Borderfree (www.borderfree.com). According to their website, Borderfree's technology allows websites to show prices to automatically foreign customers in their foreign currency, pay taxes and duties and other things. They also replace the website's checkout page with their own checkout. A lot of high-end brands in the USA seem to work this way. My investigation shows that the integration between the website and the Borderfree service is done using a proxy server which identifies the IP address location, and injects the necessary script onto the pages to do all the price conversions etc. The problem is that this script is poorly written, and holds the users' shopping cart details in an object generated on the fly, completely on the client side, with no validation done when this object is sent to Borderfree's servers to invoke the checkout page. This makes it very easy to manipulate the price on the client side, using just a simple debug tool, and since no validation is done - you can just decide how much you want to pay for each product ... So far I've validated this weakness on several sites: - www.lastcall.com - www.dunelondon.com - www.soletrader.co.uk - www.neimanmarcus.com But I'm sure this exists in many other sites, since Borderfree seem to use pretty much the same code base everywhere. I've tried to contact both Borderfree and some of the websites, but no one answered... My main concern, judging from the generally poor quality of the code in combination with the fact that it's all on the client side, is that it may have other security volnurabilities as well which may compromise the machines of innocent users who shop on a well known website. If you want to try it for yourself, here are a few easy steps: 1) Go to one of the websites, say www.soletrader.co.uk. It's a UK-based shoe retailer, so if you're using a UK IP address, make sure you click the "International shipping" banner and choose a different country 2) Add a few nice shoes to the shopping cart 3) Go to checkout 4) Open the browser's debugging tools 5) Go to the "Sources" tab, expand assets.moovsweb.com until you reach main.js 6) Go to line 4974 and put a breakpoint (below the price initialization code) 7) Click "checkout" (you should soon hit the breakpoint) 8) Go to the "Consule" tab and write: price = "XX" (XX should be the price you think is fair for this item :-)) and hit Enter 9) Release the debugger 10) You should now reach the checkout with your chosen price for the product. Continue as usual from here 11) Sit back and wait for your product to arrive ... It's that easy, not to say lame, but it works. Enjoy! JonnyBoy _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/