Researchers Exploit Flaws in PayPal, Others to Avoid Payment Online

April 18, 2011

Researchers from Indiana University and Microsoft recently released a report detailing “logic flaws” that can afflict Web merchants that use third-party payment services like PayPal, Amazon Payments and Google Checkout. How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores details flaws that can create inconsistencies when the merchant, the third party and the Web client controlled by the consumer are communicating. “Unfortunately, the trilateral interaction can be significantly more complicated than typical bilateral interactions between a browser and a server, as in traditional web applications, which have already been found to be fraught with subtle logic bugs,” the report said. “Therefore, we believe that in the presence of a malicious shopper who intends to exploit knowledge gaps between the merchant and the [third party], it is difficult to ensure security of [this type] checkout system.” The researchers reported exploiting the flaws they found to purchase items at a lower price, shop for free after paying for one item or avoid payment entirely.