Sunday, November 04, 2007

QVC Business Logic Flaw nets scammer $412,000

$412,000 is what a business logic flaw in QVC’s website allowed North Carolina woman, Quantina Moore-Perry, to scam them out of. The scam was brain dead simple. 1) Place an order 2) Quickly cancel the order 3) Wait for the products to arrive in the mail anyway 4) Sell off the goods on eBay. 5) Profit. I guess the cancellation system needs a bit more attention.

My guess is Moore-Perry, who has since plead guilty to wire fraud, was no “hacker” and found the issue by mistake. She probably legitimately ordered something at first, then for whatever reason canceled it, and the products arrived in the mail anyway. Instead of calling customer support she probably saw an opportunity to make a little cash.

According to TheRegister article, QVC only learned of the incident when an eBay buyer tipped them off. They became suspicious because the QVC packaging wasn’t removed. Lazy crooks. The also incident begs the question, how many QVC customers (if any) have found the same issue and have just gone unnoticed? Out come the auditors. I’m sure this issue isn’t unique among eRetailers.

As I’ve been articulating over the last couple of months, business logic flaws like these can be incredibly damaging, are painfully common, and very difficult to identify. Obviously vulnerability scanners are not going to find these (unless they can check the mail too), IDS won’t spot them, and WAFs won’t block them. Basically this is because every part of the attack contains completely valid HTTP requests and responses. No crazy looking meta-characters like in XSS or SQLi and even the flow of the requests is natural.

At the same time, these types of issue can also be difficult for even a pen-tester to spot unless they know what to look for. Normally a pen-testers scope of work stops short of “ordering” something on the website. That’s also why I’ve been asking for and documenting as many of these real world examples as possible because it helps raise awareness. The more we have to go on the better everyone’s system design and vulnerability assessment processes will become.

8 comments:

MustLive said...

Captcha bypass test

kingthorin said...

You'd think he'd be over that by now.

ory segal said...

I think that 99% of the people wouldn't have spotted this vulnerability during a manual assessment, since it requires an actual order, a cancellation, and then a wait period to receive the product...not very likely to be spotted by the average joe pentester.

On the other hand, this is very simple to automate using a web application scanner and an RS-232 cable connected to your mailbox via your standard mailbox2computer interface ;-)

Awesome hack though...

Test said...

asdfsdf

Jeremiah Grossman said...

kingthorin> are you kidding!? MustLive is persistent! :)

ory> I'd go with 5 9's. 99.999% :)

And dammit, stop posting my software roadmap!

Test said...

Captcha bypass test!!!!

Test said...

Captcha bypass test

Anonymous said...

Captcha bypass test