Informatics group continues to find company errors

Informatics graduate student Rui Wang and associate instructor XiaoFeng Wang did it again.

The pair’s research group found errors in Amazon’s payment system that would allow malicious users to receive free merchandise. This is their second Internet security discovery this year.

In January, the group found issues within Facebook’s programing that, if exploited, would leak users’ personal information.

With the group’s latest work, some of the researchers were able to convince merchants that they had paid for items when the researchers just paid their own merchant accounts, according to a press release. This was possible because of some “serious logic flaws” in the consistencies of payment statuses.

Even with the inconsistencies, most of the flaws in the system were due to merchant software.

“We believe that it is difficult to ensure the security of a CaaS-based (cashier as a service) checkout system in the presence of a malicious shopper who intends to exploit these knowledge gaps between the merchant and the CaaS,” XiaoFeng said in the press release.

Even though the group found errors in the current systems, they have only tested the most simple version of the transactions. According to the press release, the research group believes the more complicated interactions will be substantially more error-prone.

“This calls for further security studies about such complicated multiparty web applications,” Rui said in the release.