“1999 called, they want their e-commerce exploit back”
This is a class of vulnerability that really shouldn’t exist these days. I don’t know if anyone remembers this, but around 1999 to 2000, when e-commerce was still in it’s infancy, there were many “e-tailers” who were ripped off blind by people modifying the contents of forms and URLs to alter the prices of things like laptops to a buck - pay the shipping and save several hundred bucks.
E-commerce programmers these days should be smarter than to trust data which goes out to userland and comes back, but that’s exactly what I discovered Tracfone were doing a couple of weeks ago - when purchasing minutes, the dollar amount and the number of units were sent out in a form and then sent back in a GET request. Spotting this what I thought was a trivial, useless information disclosure, I tried opening the URL in a new tab and modifying the price from 19.99 to 1.99. The next page still kept the correct price so I thought “bah, I’ve found nothing.”
I closed the tampered tab and went back to my original, what I thought to be legitimate purchase tab, and completed the process. I almost didn’t notice, but my total for the transaction was $2.33. It should be stressed that even if I thought it was going to work, I wouldn’t have completed the transaction - I had no intention to commit fraud. Not only was their system vulnerable to manipulation, it was pretty adamant after the manipulation that it knew what it was doing. The only way I can think that this worked is either the server side session information is updated from the GET request, or a cookie’s set. I didn’t bother exploring why, because I wanted my account straightened out, I use the Tracfone as an emergency contact for my wife’s company - I didn’t want it shut off because of a billing snafu.
So I called Tracfone, and they were insisting it was a legitimate transaction, that their system showed I was charged the correct amount and blah blah blah. I had a hard time making this lady understand the implications of this system, the conversation at one point went something like this:
<fwaggle> You don’t seem to understand, I could go on your website right now and buy lifetime double minutes, and a 400 minute card, for about two bucks.
<tech support> So what I am understanding is that you purchased the 60 minute card, but wish to instead purchase the 400 minute card?
Yeah, she seriously responded to it with that. Eventually I asked to put me through to a supervisor, and she instructed that they were all busy, and one would call me back in 24 hours. No such luck.
I waited until Monday, and I emailed a security email address I’d found on a website someplace while googling. I told them the situation, but didn’t describe the bug, and I also told them that I’d wait exactly 30 days before disclosing this publicly. I told them if they cooperated I would be happy to sit on the disclosure for a little longer. Nothing. Wednesday, the “contact us” form on their website was working so I tried to use that, again describing the situation but not the bug. By this time I’m getting sick of dealing with it, so I told them they had until Friday to respond in some fashion or I’d disclose it on Friday. I received an email back in a few hours stating that they thanked me for bringing it to their attention and that their website was secure.
With the exception of trying to explain it to the level 1 customer support lady, I’d never actually described the bug to them, but they’re claiming - somewhat ambiguously - that it’s fixed, so I’m disclosing it now.
It might still be possible to do it, or it might be possible to change the number of units in the URL and see what happens - truthfully I can’t be bothered checking it and don’t want another “fraudulent” transaction on my phone. They claim their website’s secure, so I think I’m okay disclosing this. They don’t appear to have any interest in correcting the charge to my card, I guess I get to keep those 120 minutes (haha double minutes coupon) that I paid $2.33 for as a door prize.
Disclosure History (including creepy time correlations)
Sunday, October 12th 2008
4:33pm Transaction pending for $2.33
4:48pm Called to report findings, spoke with level 1 tech support who was less than helpful. Escalated to supervisor, but they will have to call me back within 24 hours.
Monday, October 13th 2008
4:30pm - Emailed Tracfone Security address regarding vulnerability. No call yet.
Friday, October 17th 2008
4:32pm - Filled in “contact us” form on website, alerting vendor of my intention to disclose publicly.
Saturday, October 18th 2008
4:31pm - Received email from Customer Service, saying “Please be informed that our website is secured.”
Thursday, October 23rd 2008
12:30pm - Public disclosure.
Note well: I am not responsible for anything any viewer does with this information. Please be aware that knowingly modifying prices of items on e-commerce websites could be considered wire fraud depending on your jurisdiction. You’ve been warned.