Winebusiness.com - Homepage for the Wine Industry

UC Davis News: E-commerce software vulnerable to hackers (Press Release)


Date: 10/08/13

A popular open-source software for e-commerce is vulnerable to being cheated, computer security researchers at the University of California, Davis, have found.
by UC Davis

A popular open-source software for e-commerce is vulnerable to being cheated, computer security researchers at the University of California, Davis, have found. By exploiting vulnerabilities in the
widely used osCommerce software, the researchers were able to purchase items from online stores for free or substantially less than their correct prices.

"The majority of the payment modules in osCommerce are vulnerable to logic attacks that allow you to pay less or even pay nothing at all," said Fangqi Sun, a graduate student working with Professor Zhendong Su in the UC Davis Department of Computer Science.

The researchers have been attempting to notify osCommerce of the discovered vulnerabilities and to help the developers patch the software. They have also refunded the vendors for items they purchased at below cost during their research.

Online transactions rely on a trusted third party, or "cashier," who bridges the gap between vendors and their customers. But the use of a third party cashier also complicates the payment logic and introduces a new class of vulnerabilities that can result in significant financial losses to merchants, Su said.

The osCommerce software allows vendors to manage online transactions. It has been in active development and maintenance for about 12 years and is currently powering more than 14,000 online retailers. It is open-source software, meaning that programmers around the world can contribute and make improvements to it.

Sun, with Su and graduate student Liang Xu, downloaded the osCommerce software and developed the first automated tool to scan it for payment logic vulnerabilities.

Sun found for example, that with a few simple changes to HTTP requests she could pay for an item in U.S. dollars instead of the same amount of British pounds, a marked discount depending on the exchange rate. It was also possible to trick a merchant into believing that an item had been paid when in fact it had not.

The vulnerability detection tool was developed for the PHP programming language used to write osCommerce, but the general principles of the attacks should be applicable to other e-commerce software, whether proprietary or open-source, Sun said.

Earlier this year, Su's research group identified security flaws in popular applications running on Android smartphones.

About UC Davis

For more than 100 years, UC Davis has engaged in teaching, research and public service that matter to California and transform the world.
Located close to the state capital, UC Davis has more than 33,000 students, more than 2,500 faculty and more than 21,000 staff, an annual research budget of nearly $750 million, a comprehensive health system and 13 specialized research centers. The university offers interdisciplinary graduate study and more than 100 undergraduate majors in four colleges -- Agricultural and Environmental Sciences, Biological Sciences, Engineering, and Letters and Science.
It also houses six professional schools -- Education, Law, Management, Medicine, Veterinary Medicine and the Betty Irene Moore School of Nursing.

Subscribe to Daily news Email

FREE Wine Business Daily News delivers the industry's top stories emailed to you from our editorial team.

most popular daily news links

latest used barrels

- used barrels  •  yesterday at 5:40PM PDT
- used barrels  •  yesterday at 8:49AM PDT
- used barrels  •  Aug 28, 2014 at 3:38PM PDT
- used barrels  •  Aug 28, 2014 at 3:29PM PDT
- used barrels  •  Aug 28, 2014 at 11:42AM PDT

latest real estate

- real estate  •  yesterday at 10:45AM PDT
- real estate  •  Aug 28, 2014 at 3:32PM PDT
- real estate  •  Aug 27, 2014 at 10:05AM PDT
- real estate  •  Aug 27, 2014 at 9:54AM PDT
- real estate  •  Aug 27, 2014 at 9:54AM PDT

industry events

Aug 30
CA
Search Events:

Copyright© 1994-2014 by Wine Communications Group. All Rights Reserved. Copyright protection extends to all written material, graphics, backgrounds and layouts. None of this material may be reproduced for any reason without written permission of the Publisher. Wine Business Insider, Wine Business Monthly, Grower & Cellar News and Wine Market News are all trademarks of Wine Communications Group and will be protected to the fullest extent of the law.