Note: Posted for those interested in online news. (This article gives a whole new meaning to "Shop till you drop" =)

LINK

Shopping Hackers Give Themselves Price Cuts - Report

ATLANTA, GEORGIA, U.S.A., 2000 FEB 3 (NB) -- By Kevin Featherly, Newsbytes. As if hackers don't get away with enough, now it's become clear that they can use their knowledge to get better online shopping bargains than the rest of us.

An X-Force team alert issued Monday by Atlanta, Ga.-based Internet Security Systems, Inc., (ISS) says vulnerabilities exist in 11 online shopping cart applications - the programs through which shoppers at e-commerce sites make and process purchases - which can allow hackers to edit prices and buy goods for themselves on the cheap.

And if they can do it, says Chris Rouland, director of X-Force, the research arm of ISS, they probably are doing it. "I would think that people have already been exploiting this," Rouland said. "It's just difficult to track these types of losses."

Some of the problems are being dealt with by the affected shopping-cart software makers, the company says. But there has been no response from several other shopping cart makers since they were first alerted by ISS in December. Which doesn't surprise Rouland.

"In the rush to get online and get e-commerce going," he said, "frequently, security is looked at last and this is kind of an example of that. People are under a lot of pressure...and their security tends to be put on the back burner."

The vulnerabilities occur on the server side of the transaction, so they do not affect consumers - except those exploiting the holes to get good deals. But they may have terrific impact on e-commerce companies, Rouland said. However, no vendors have reported to ISS that they have been victimized, he said.

The report says that many Web-based shopping carts employ hidden fields in hypertext markup language (HTML) forms to hold details about items for sale at online stores. These can include the item's name, weight, quantity, product ID, and price. If the hacker changes the price in the form on a local machine, then uploads the page into the browser, the item can be added to the cart with its price changed.

Vulnerability somewhat more difficult to manipulate occurs when prices are listed in URL (uniform resource locator) "referral fields," the report states. When clicking a link, the site's CGI program will add items to shopping carts, with the price set in the URL. "Simply changing the price in the URL will add the item to the shopping cart at the modified price," the report says. "Shopping cart software should not rely on the Web browser to set the price of an item."

Neither of the vulnerabilities is particularly difficult to exploit. Rouland said his mother - not a talented hacker - could exploit hidden HTML forms. A grade C or grade D hacker could trick a computer using referral fields by rewriting a program to send the raw data over the network into the e-commerce site's server.

Rouland said that site encryption is no protection against these types of security holes, "even if there's a little padlock on the bottom of the screen." He said, "Whether another transaction is encrypted or not is irrelevant if the vendor's computer can be tricked into changing the price," he said.

The ISS X-Force team notified the affected shopping cart software companies of the problems in December and plans to continue working with them to ensure software security, the report states.

One company, Check It Out (http://ssl.adgrafix.com ) has taken steps to fully secure its software.

Seven shopping cart software companies have modified their applications to provide a higher level of security, but still not to the highest level, Rouland said. These are:

@Retail (http://www.atretail.com) Cart32 2.6 (http://www.cart32.com) CartIt 3.0 (http://www.cartit.com) Make-a-Store OrderPage (http://www.make-a-store.com) SalesCart (http://www.salescart.com) SmartCart (http://www.smartcart.com) Shoptron 1.2 (http://www.shoptron.com)

Three have not yet provided any fix information to ISS:

EasyCart (http://www.easycart.com) Intellivend (http://www.intellivend.com) WebSiteTool (http://www.websitetool.com)

Rouland wouldn't comment when asked to name some of the online stores using the affected software. "Certainly some big stores are using this," he said. "I think you'll find that most e-commerce sites are using these types of canned shopping carts, because it's fairly easy and inexpensive to buy one and go online."

Small vendors buy them too, Rouland said, putting them at particular risk. "This goes back to the whole rush to get online and not to get the security," he said. "In addition, they don't have the expertise or the ability or resources to hire expertise."

The bottom line, Rouland said, is that vendors must find ways to authenticate data that comes into their servers during transactions. "You cannot take unauthenticated data and perform transactions on it," he said.

Internet Security Systems' Web address is http://www.iss.net/ .

Copyright ) 1994-2000 Yahoo! Inc. All rights reserved. -------------------------

-- Dee (T1colt556@aol.com), February 04, 2000

Answers

Yo! All you lawyers who didn't make a bundle on Y2K!!! This is a golden opportunity to sue some software manufacturers (Shopping cart systems) in class action suits...

For the rest of us...glad I didn't start that on-line business, yet. But still plan to do so. It seems that I need to put an additional check or two into the system...

-- Mad Monk (madmonk@hawaiian.net), February 04, 2000.