November 14, 2006

How to buy a 65” Plasma for $.99

Panasonic PlasmaHow secure is your web application? Are you sure? We are constantly amazed at the lack of basic security many companies employ online. For instance, it has been known for years that e-commerce sites utilizing hidden fields are susceptible to manipulation. The problem doesn’t seem to be getting any better, and is actually being made worse by some service providers. Many smaller hosting companies offer software solutions to help small businesses get online “faster” and “easier.” This almost never translates to more secure.

Which brings me to the title of this article. During my studies for the CEH exam, I was exposed to the seriously flawed CartIt.cgi shopping cart application. CartIt.cgi is a widely used shopping cart that stopped being developed last year. The reason this application is flawed is that it uses hidden fields within the HTML POST to submit the price and quantity when the user clicks on the add-to-cart button. Hidden fields are easy to manipulate. One of the easiest is to use a local proxy, such as Paros, to intercept the POST, effectively launching a man-in-the-middle attack. This allows you to change the price before it is submitted to the server.

Example:

CartIt

Doing a simple Google search for cartit.cgi+plasma, I found a web site that sells plasma TVs (Which shall remain nameless to prevent being sued). The website thinks it is selling TVs for $7,599, but we can pay whatever we want by intercepting the POST and changing the price. If you think the company would catch this error, think again. Many companies outsource the fulfillment of orders, and never check the prices being charged. Note: I do not endorse e-shoplifting, so I did not complete the above transaction, but I know for a fact that the site will accept the order for $.99. Now, $.99 is extreme enough to *maybe* raise a flag. A simpler approach is to just move the decimal over 1 or 2 places. This way, if the company does notice, they will assume it was a processing error on their side. So maybe this article should be titled: “How to buy a 65″ plasma for $75.99.”

Another simple search for CartIt reveals that many hosting companies are still actively supporting CartIt.cgi. For example, IM1 Web Hosting calls CartIt “a powerful e-commerce solution for merchants and professional Webmasters…CartIt is an extensible, scalable shopping cart system that can handle just about any product or product combination you throw at it.” Disgraceful.

Note also that the shopping cart displayed above was deemed secure by VeriSign, Control Scan, BBB Online, Mastercard, & Visa. How much confidence do you have in those programs now??? Hopefully not much.

The exploit described above is not unique to CartIt. There are many shopping carts that use hidden POST fields. A shopping cart should allow the user to submit the SKU and the quantity, but never the price. The price should be queried from a database. The point here is that if you do not know how your applications work, you cannot rely upon their security. If you are using a shopping cart provided by your hosting company to run your site, we recommend you check it for these exploits. Failing to do so can be hazardous to your bottom line.

-Bill

Digg! Digg This Story!

Editor’s note: The techniques described in this article are for educational purposes only. We do not encourage or endorse the manipulation of 3rd party web applications to change the price. E-Shoplifting is a crime.

Thanks for stopping by.
If you found this article useful, please leave a tip.

40 Comments »

  1. Kelly said,

    November 14, 2006 @ 10:21 am

    I knew I should have ordered some TVs before this was posted!

    Good article, hope the hosting companies are paying attention.

  2. Sassan said,

    November 14, 2006 @ 2:57 pm

    “E-Shoplifting is a crime.”

    I don’t think so. I’m pretty sure I have never seen a statute that defines “E-Shoplifting” as anything, let alone a CRIME. You do not need to protect yourself with meaningless disclaimers like this one. Nor that sending an HTTP POST to a public web server constitute shoplifting of any variety, E- or otherwise.

    Still, very interesting article!

  3. Malcolm said,

    November 14, 2006 @ 3:16 pm

    When those programs deem this software secure, they mean it’s secure for end-users, ie. if you put your credit card number in it won’t be stolen. None of these designations are supposed to mean it’s secure for you to run it for selling things.

  4. Sam said,

    November 14, 2006 @ 3:48 pm

    Hey, a good “test” would be to find the cheapest thing they have on their website, order it, change the price to a dollar MORE, add it to your cart and buy it. That way you’re testing the integrity of their pricing system without compromising your own integrity. You’re not stealing anything, you’re actually giving them more money. =)
    Plus, the site I looked at… I didn’t even need to proxy my way in as a middle man attack. I just viewed the source code, saved it, edited it in a text editor, located the “HIDDEN” field, adjusted the price, saved it, opened it in my browser then clicked through. The cartit.cgi DIDN’T EVEN CHECK THE REFERRER URL!!! OMG!
    Anyways, migh be fun to check in to.

  5. Jason said,

    November 14, 2006 @ 3:49 pm

    Hidden fields can be fine, so long as you don’t rely on them without some kind of security. Order numbers, skus, and price can be sent with hidden fields, as long as you verify those prices before the product is sent out. I happened to be working on a system that uses BoA CyberSource system, and I have worked with the Paypal API before. Both use hidden fields to send prices securely.

    ~jw

  6. anon said,

    November 14, 2006 @ 4:18 pm

    It may be wise to have a customer submitted price so you know what price the customer was looking at when they ordered. Logging such information would be useful, especially when misprints or discrepancies arise, as they undoubtedly will. Having the price you displayed to the customer may solve bugs or problems in your distribution model. Even better – if you compare this price against your privately stored selling price you can catch jerks trying to hack your online store.

    If you don’t know how a bicycle lock works, you can’t rely on it for security, same goes for these scripts. They aren’t severely flawed, just vunerable when used improperly.

  7. Ambersail Infosec Roundup » Blog Archive » e-shoplifting Made Easy said,

    November 14, 2006 @ 5:48 pm

    […] Small businesses often use shopping cart software supplied by their hosting provider or ISP. When you have a small budget and limited technical resources, there are not many other choices. But as this article points out, poorly written web applications mean that sometimes you don’t always get what you pay for. […]

  8. Technocrat said,

    November 14, 2006 @ 6:24 pm

    As far as I can tell, Verfiied by Visa is a program for customer secuirty, not website secuirty. It is designed to protect the user’s card and in no way indicates that the website or its code is secure…

    http://usa.visa.com/personal/security/visa_security_program/vbv/how_it_works.html

    -Technocrat

  9. tankd0g said,

    November 14, 2006 @ 7:04 pm

    Most shoping cart systems that don’t call from a data base do so because the orders are then hand keyed on a separate POS system. Which, would ironically make them more secure than an online database system. If you managed to get this 99 cent order to go through AND be shipped, then it might be fraud, but it’s mostly stupidity on the vendors part for shipping it.

  10. The Low Down for Today said,

    November 14, 2006 @ 7:18 pm

    […] If your bored of watching TV on your computer like I do, then you can buy a 65″ plasma for $0.99 (that is 99 cents). […]

  11. ArghWebWorks » Blog Archive » How secure is your cart? said,

    November 14, 2006 @ 9:12 pm

    […]

    Check your site for leaks.

    For instance; do you use the CartIt shopping cart? It’s notoriously insecure. Why? It keeps track of product pricing via hidden fields on the shopping cart form. Want to order something fancy for your spouse? Fire up your HTML editor and write your own form and submit to the target url on their server. Or just use a local proxy (parosproxy) to do the heavy lifting.

    All too often when you hire a contractor, they use something insecure like this. I’m more inclined to blame laziness rather than ignorance or even malpractice. However, this is a good place where the money spent on a code review by a third party could really save you in the long run.

    Thanks to: EdgeBlog.[…]

  12. Anonymous said,

    November 14, 2006 @ 9:26 pm

    How to buy a 65 inch Plasma TV for 99 Cents!!…

    The Author points out a security problem with an ecommerce site. You can fool the website to sell you a Plasma TV for 99 cents….

  13. IndianPad said,

    November 14, 2006 @ 9:38 pm

    How to buy a 65 inch Plasma for 99 Cents…

    How to buy a 65 inch Plasma for 99 Cents posted at IndianPad.com…

  14. Tyler said,

    November 14, 2006 @ 10:44 pm

    if you are using firefox and have the web developer extention(https://addons.mozilla.org/firefox/60/) installed, all you have to do is go to Forms>Display Form Details and you can edit the hidden feild right on the page.

  15. Truly amazing at berchman.com said,

    November 14, 2006 @ 11:32 pm

    […] [link][more] […]

  16. DavidK said,

    November 14, 2006 @ 11:54 pm

    Strangely, they have known about this for six years (assuming the 2000 in this reference number is when it was discovered):
    http://www.colasoft.com/resources/vulnerability.php?id=CAN-2000-0137

  17. nullbit said,

    November 15, 2006 @ 3:08 am

    There is a law against it, it’s called fraud. Please nobody try it.

    The threat of prison seems like enough of a security patch to me.

  18. Brent said,

    November 15, 2006 @ 3:51 am

    Useful article. I would strongly disagree with the poster who denies that “sending an HTTP POST to a public web server constitutes shoplifting of any variety”. If one were caught doing what the article describes, I am quite certain that fraud charges would be forthcoming — because this is the electronic equivalent of ‘switching price tags’. And that certainly is a crime.

    See, for instance: http://www.fbi.gov/ucr/ucrquestincident.htm (under Larceny/Theft)

  19. Chris Harrod said,

    November 15, 2006 @ 6:46 am

    This isn’t breaking news. This has been known for a long time.

    Welcome to 2006.

    People will write a blog about anything to generate hits.

  20. GIGANTIC DWARF » Blog Archive » How to buy a 65” Plasma for $.99 said,

    November 15, 2006 @ 6:59 am

    […] http://www.edgeblog.net/2006/how-to-buy-a-plasma-for-99/ […]

  21. TalesLinger.Com - » Shopping Cart Problems said,

    November 15, 2006 @ 7:34 am

    […] There’s a post here describing how easy it is to change the price on an online shopping cart program before the purchase is submitted.  […]

  22. links for 2006-11-15 at Hangover Sunday said,

    November 15, 2006 @ 8:32 am

    […] edgeblog » How to buy a 65″ Plasma for $.99 Coined term-watch: “E-shoplifting.” There’s a shopping cart application some sites still use that will let you name your own price. If you’re that kind of person. (tags: hail_cyberanarchy) […]

  23. Anonymous said,

    November 15, 2006 @ 8:37 am

    Just to let anyone know who wishes to try this, this constitues wire fraud which is a federal offense.

  24. Anonymous said,

    November 15, 2006 @ 8:58 am

    Its not wire fraud if the is no evidence of the accused changing the prices. Any US court would throw the case out of court unless the accused accepts the goods and the company concerned can prove, beyond reasonable doubt that the price was indeed changed. I’m taking suggestions on how you THINK they will be able to do that =)

  25. Jonathan said,

    November 15, 2006 @ 9:26 am

    This is a misleading title to the article. You can’t buy anything pulling this stunt – even if you got through the shopping cart and credit card payment process.

    I have a shopping cart with a few thousand products listed. Should anyone manage to pull this stunt, I’d simply cancel their order. You can’t and won’t be allowed to buy anything. In fact, I’d ban that customer from every buying anything from me again.

    Be advised – I’d have all kinds of information on you or anyone trying this, if you were stupid enough to try paying for this with your own credit card. And yes, I hunt you down ruthlesslessly.

  26. Pablo said,

    November 15, 2006 @ 10:36 am

    @Sassan: Just because there is no law against ‘E-Shoplifting’ doesn’t mean it’s not covered. You’ll find that most countries have laws against “obtaining goods and/or services by deception”. By carrying out the man-in-the-middle attack, you would be actively deceiving the supplier; its not a mistake on their behalf, it’s a deception on your behalf and would be fraudulent.

  27. BC said,

    November 15, 2006 @ 10:58 am

    This seems much more like bargaining than fraud. All you are doing is making an offer that their system is free to accept, reject or make a counter offer. That is how business works.

  28. Anonymous said,

    November 15, 2006 @ 12:40 pm

    Well the FBI thinks it’s fraud, so we’re passing on any and all orders that come through doing it. Some folks have been dumb enough to use their real information.

  29. Geek Rant dot org said,

    November 15, 2006 @ 4:01 pm

    How to buy a 65” Plasma for $.99…

    e-commerce sites utilizing hidden fields are susceptible to manipulation, such as selling a 65” Plasma for $.99. The way it works is the hidden field containing the price gets its value changed from many thousands of dollars to less than one, and t…

  30. Anonymous said,

    November 15, 2006 @ 5:56 pm

    It cant be fraud unless you prove it :-)

    How will you be able to prove in a court that it was not a software glitch that caused the error in price? You wont …..

  31. ex-FBI said,

    November 15, 2006 @ 6:35 pm

    I’ve worked in the computer crimes division for the FBI for several years. These days I’m a private investigator with a major banking corporation.

    Firstly, there is no actual ‘crime’ unless the goods were shipped out. If the transaction was cancelled by the store owner, then it was never actually completed, so no ‘contract’ was entered into to be defrauded – hence, no case for wire fraud. Wire fraud needs to be proven by hard evidence in any case. The plaintiff would have to prove that their computers and server was compromised and that the user actually benefitted from the transaction by receiving the goods.

    Again, no loss, and no evidence of loss so no prosecution. The only thing the store owner would be doing is wasting the FBI’s time and hindering their chances of a good and solid investigation regarding a real fraudulent crime in the future.

  32. ex-FBI said,

    November 15, 2006 @ 6:39 pm

    + more

    To all store owners, get a proper shopping cart which which does not have such a serious vulnerability.

    Its probably time consuming to filter out all the orders that came through in the last couple of days from kiddies using their parents credit cards so ensure you have a deterrent in place on the main page or checkout page, if you are unable to secure the shopping cart software. A simple, “alterations of prices is fraud” on the final checkout page would weed out 90% of these sorts of transactions.

  33. Anon said,

    November 15, 2006 @ 8:27 pm

    AMATEUR Lawyer…..don’t relly on this !
    —————————
    Advertisement is an offer to treat.
    Customers Order is an Offer to buy at a price (usualy matching the advertised price)
    Acceptance comes from the shops end when they ring up the purchase

    Offer + Acceptance = Contract.
    ———————————————–

    AFAIK it is legal to make an offer of any amount regardless of the price on the shelf or the web site.

    Walking into a shop and offering 99c for a TV is legal (You would expect the shop clerk to refuse your offer in that case)
    If a shop is stupid enough to automate a process that accepts any offer you make then that’s their problem.

  34. How to Buy a 65″ Plasma for $.99 « Paul´s Blog said,

    November 17, 2006 @ 10:38 am

    […] read more | digg story […]

  35. me said,

    November 21, 2006 @ 3:07 am

    It just annoys me this even exists these days – it is disgraceful that the product is in such wide circulation still

  36. Mike said,

    December 28, 2006 @ 4:38 pm

    Interesting story, you should have posted more text when you dropped a link on my forum though. I nearly deleted it as spam.
    Anyway I dugg this and your Added to my Digg Army.
    I will let you know when we have gathered some more troops then we can get digging.

  37. Dan said,

    January 24, 2007 @ 3:56 pm

    Calling CartIt and other carts like it insecure because it allows the hidden field is incorrect. It is not insecure for this reason. The reason for allowing such is to not depend on a shopping cart’s ability to present a product page the way the merchant wants. CartIt, like most like it, allows the merchant to create a way to check this price and verify that it is valid (though most don’t use it).

    CartIt merchants are small merchants. They typically only have one or two people working for them. They usually will catch pricing information that is wrong because they hand process each of the orders.

    As for the checking the referring URL. CartIt can check for this, but blame companies like Symantec and ZoneLabs for this not being enabled. Because they find that sending a referring URL is a privacy violation, these products, by default, block the sending of the referring URL.

  38. Anonymous said,

    February 27, 2007 @ 3:22 pm

    Very informative site. Good job.

  39. Bill said,

    March 27, 2008 @ 10:16 am

    This is a perfect example of the uneducated telling a story without any facts- fact is man-in-the-middle have been around a long time and if CartIt is insecure, then so is Paypal and any other form-based cart. This “exploit” is trivial and simply not likely to ever get past any small merchant running cartit. Data tampering in such a way as this would be simple theft. CartIt is secure so you’ve proved nothing except that someone could manipulate the price. They could also manipulate any other form field data as well. Considering the number of fraud orders the average online merchant gets each day, this would be trivial to catch. What is disgraceful is your characterization of a host being bad because they support a cart? So do the same to PayPal- why not? An easy way around this would be to install cartit.cgi to an SSL URL and make all posts to the cart via SSL. EASY but SLOW.

  40. bill said,

    March 29, 2008 @ 10:29 am

    Bill,

    Thanks for the comment. You are of course incorrect. The problem here has nothing to do with the transport mechanism, and everything to do with the data being sent. Most shopping carts take as input from the user a SKU and a QTY. The price is calculated on the back-end. If I manipulate one of these fields, all I get is a different product or a different quantity. No big deal.

    With Cartit, the price is also sent from the client to the server, and can be manipulated. Unless you have some other mechanism on the back-end that re-validates the price, the changed value will be accepted. Transporting this over SSL would have no effect, because I change the value on my side before I send it.

    Thanks for stopping by and reading my article!

    -Bill

RSS feed for comments on this post · TrackBack URI

Leave a Comment