Institute of Electrical & Electronic Engineers
Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the internet. In this paper, the authors study the security implications of this problem to merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which they refer to as Cashier-as-a-Service or CaaS. They found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy and JR) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause inconsistencies between the states of the CaaS and the merchant.