Business process flaws seen posing security risks

Flaws in the business processes that underlie Web sites can present serious security risks, the CTO of a Web security company said Thursday.

Running a secure Web site means more than just guarding against cross-site scripting and SQL injection attacks. Flaws in the business processes that underlie Web sites can also present serious security risks, the CTO of a Web security company said Thursday.

Flaws in the processes, or business logic, for Web sites can prove highly profitable to hackers, require little skill to exploit and are sometimes technically not illegal to take advantage of, said Jeremiah Grossman, CTO of WhiteHat Security, at the Source Boston Security Showcase.

"These issues are common if you know what to look for," he said.

He offered several examples of these flaws, including those found in Web site designs, Captcha authentication systems and user privileges. People who take advantage of them are often simply banned from using a service, although sometimes they are prosecuted.

In 2007 a woman was accused of scamming QVC out of US$412,000 by exploiting a flaw in its business logic. She placed orders for 1,800 items with the home-shopping network and then cancelled the orders on its Web site. She received credit for returning the merchandise, but the items were sent to her anyway and she sold them on eBay, the Department of Justice said. QVC became aware of the matter when eBay users contacted it about receiving items still in its packaging. The woman eventually pled guilty to wire fraud.

Password reset features can lead to unauthorized account access if they ask obvious questions and hackers have minor pieces of information about their victims. Grossman offered an example involving former mobile service provider Sprint. To reset its passwords, he said, a hacker needed to know only a person's mobile-phone number and a basic piece of information such as where they lived or the car they drove. This could have allowed a hacker to order new phones in the victim's name or install new services on their phone.

E-coupons pose a risk to merchants if coupon numbers are close to each other sequentially. One retailer saw some of its high-priced items selling for a few dollars after a hacker wrote a script to uncover coupon numbers that differed by only a few digits, Grossman said. The retailer discovered the problem when its system logs uncovered an abundance of orders being processed at night while the hacker's script ran.

Hackers can persuade other Web surfers to solve Captcha tests for them by luring them to Web sites with the promise of free music or adult content. Captchas require a person to decipher a string of jumbled characters to sign up for services such as a Web e-mail account. The Web surfers solve the Captchas, which are sent via proxy server to the hacker, who then uses them to sign up for multiple e-mail accounts for sending spam or some other activity.

"As long as you have enough users coming to your Web site, you have the Captcha solved," said Grossman. "Bad guys want to defeat these Captchas so they can spam us."

Another flaw is granting users access to all parts of a Web site when they have a login or password for a particular service there. For example, employees at an Estonian firm signed up for the Business Wire press release service in 2004. It figured out that URLs on the site sometimes contained information about news releases that had not yet been made public. Using a program that searches for URLs, the employees at the firm were able to uncover sensitive business and financial information. After buying and selling stock based on this information, the employees made $7.8 million, but were also hit with fraud charges by U.S. regulators.

He noted that there have likely been many similar such instances that never came to light because the perpetrators were never caught.

Web security extends beyond quality assurance and properly designing Web applications to include how the services are set up to operate, he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags sql injection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Fred O'Connor

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?