KALYPTO (IN)SECURITY

Research, demonstrations, and popcorn

Vulnerability Found: Cyberoptix Tie Lab

Even though it has been more than 18 months since I reported this issue, the company is working with limited funds and technological constraints that prevent them from resolving this particular issue.  In order to prevent theft, they are now manually approving all orders before final billing and shipping.

Anyone that is running an online store utilizing PayPal should be very careful about how you do your programming.  There are two ways to setup carts utilizing PayPal.  The first way is using a company ID and passing the price of an object as a parameter.  The second way is setting up items in PayPal it’s self and then passing the item ID as a parameter.  As you may already realize, the first method is horrible.  Altering the value passed as the price allows an attacker to set the price at whatever they please (even zero).

Cyberoptix Tie Lab had the first method for a PayPal cart implemented.  This allowed me to create a proof of concept order for the owner showing that I ordered over 100 custom ties (with wood gift boxes) for free.

I contacted the owner of Cyberoptix Tie Lab and explained what the issue was as well as gave him the proof of concept order information and a screen shot of the vulnerability and how it is exploited.  He sent this information to their web developer, but due to the cost of having their entire set rewritten, they are currently just manually approving every order before final billing is completed.

If you are in the market for a good tie, please check them out.  I have purchased a couple of them since this vulnerability was found (including the ties word by the men at my wedding).

  • Vulnerability Type:  Unsecured PayPal Cart
  • Implications:  Possible theft by a malicious user who alters the price of an item and gets it for free.
  • Company Response:  Grateful for the information and they sent me a free silk tie.
  • Date Reported:  July 2012
cartfreepaypalunsecured

Kalypto • November 3, 2014


Previous Post

Next Post