Vulnerabilities in Online Payment Systems
This hack was conducted as a research project. It’s unlikely it’s being done in the wild:
In one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a confirmation message tagged with a code that identifies the transaction.
PayPal handles its side of the process securely, says Wang, but Buy.com was relatively easy to fool. First the team purchased an item and noted the confirmation code used by PayPal. Then they selected a second item on Buy.com but did not pay up. Instead, they used the code from the first transaction to fake a confirmation message, which Buy.com accepted as proof of payment.
Paper here.
noah • May 9, 2011 2:09 PM
I was implementing PayPal integration for an online store just last week and almost left a similar hole. I’d be surprised if it wasn’t being used in the wild.