To honor Black Friday last week our security testers listed "top" five eCommerce related security findings, which we decided to adequately publish on Cyber Monday!
So here they are.
- The eCommerce platform or webshop has its admin consoles open to the Internet without even a password (and sometimes with the default password). Ouch.
- The setup where the payment and shipment are not linked in any way. If you just navigate to the right place, the shop assumes that you paid for the contents of your basket already because, after all, how else could you get there. As added bonus, the shop likely goes into somewhat inconsistent state as there is no payment linked to the shipment, making it a bit difficult to figure out what happened.
- Badly implemented eCommerce platform integrations. You can usually a) just change the return URL after returning from a failed payment and "pay" for the products or use a previous purchase number etc. We've seen so many problems like that. Also it's always a nice feature to create an invoice for -100 000 000€ ;)
- Feature where you can add an item to the shopping basket, go pay for it, but before committing the payment in the bank, create a new shopping basket, fill it with expensive stuff, go pay for it, and then commit the first basket payment, that is nicely acknowledged as payment for the more expensive basket.
- The eCommerce platform storing user passwords in plaintext. Or using MD5 as a "crypto" option. Yes, an oldie, but unfortunately still a finding from time to time.
We do emphasize that these findings have come up in legit security testing and that exploiting any vulnerability in the Internet without the service providers permission (e.g. through a bug bounty program) is illegal.
In case you want to have an opportunity to test your skills as a white hat hacker, consider joining Nixu by applying on our web site!
Have a safe Cyber Monday!