A flaw in a commonly used e-commerce software package may allow shoppers to give themselves hefty discounts on the products they purchase, according to an alert posted by Trust Factory BV, a software security company based in the Netherlands.
The software, called ShopFactory, is produced by 3D3.com Pty. Ltd., a company based in Victoria, Australia, and is a development tool for creating e-commerce sites. Among other things, ShopFactory allows merchants to create online shopping carts to store items that visitors select for purchase.
The security hole concerns the way ShopFactory stores price information on the items that customers select in shopping carts, according to Richard van den Berg, a security architect at Trust Factory, located in The Hague.
As opposed to the e-commerce technology used by online vendors such as Amazon.com Inc., 3D3.com’s software stores shopping cart information for return customers in an unencrypted form directly in the cookies stored on customer computers.
Van den Berg first noticed the problem at the Web site of a local sandwich shop in the Netherlands that used 3D3.com’s software to enable customers to order sandwiches online.
With the Netherlands’ transition to the Euro in January of 2002, van den Berg noticed that his typical sandwich order had become more expensive. The problem: Sandwiches were now paid for in Euros, but the prices on his order form at the shop’s Web site were still set to Guilder, the currency used in the Netherlands prior to the Euro’s introduction.
With item pricing information used by the ShopFactory software stored in cookies on the computers of customers, rather than on a central database owned and controlled by the sandwich shop, it was virtually impossible for the sandwich shop to update product prices on its own, van den Berg said.
“As soon as I looked at the cookie, I saw that all my lunches were there as well as the prices and realized that that’s why they were having such a problem with the Euro switch over,” van den Berg said.
Even worse for the sandwich shop, van den Berg discovered that the ShopFactory software accepted whatever price information was provided by the cookie, meaning that anyone with a text editor and knowledge about where to locate the cookie on their computer could adjust the price of the items they order and submit it to the online merchant, giving themselves a steep discount.
Designed for small online merchants, ShopFactory is meant to simplify the e-commerce Web site design process. The product contains built-in functions, wizards and “point-and-click commands” that require little or no software programming experience, according to information on 3D3.com’s ShopFactory Web site.
Still, van den Berg says that the company’s implementation of online shopping carts is unacceptable.
“I totally understand that it’s a lightweight solution to push (data) to the client, but instead of storing prices, they could store the IDs of items in the cart and pull prices out of the store’s own database. What (3D3.com) has done is very lazy. They’ve implemented shopping carts in a way that is very simple and straightforward, but not secure, ” van den Berg said.
No one at 3D3.com could be reached by telephone or e-mail.
According to van den Berg, Trust Factory contacted 3D3.com in early October regarding the problem. After being informed of the problem, 3D3.com set up a test e-commerce site on which the cookie creation feature was disabled and asked Trust Factory to prove their exploit of the ShopFactory software.
The workaround proved easy to defeat, van den Berg said. Even with cookie creation turned off, the ShopFactory software would still accept information from cookies it found. By simply modifying a ShopFactory cookie from the sandwich shop to match the test site set up by 3D3.com, van den Berg was able to submit a discounted order for himself.
Following the unsuccessful test, Trust Factory worked through 3D3.com Chief Executive Officer Steffan Klein to resolve the problem, but never communicated directly with the ShopFactory technical team, according to van den Berg.
According to the Trust Factory alert, 3D3.com has issued an updated version of its Trust Factory software, version 5.8, that resolves the problem by disabling the ability of the software to read information from cookies when the cookie creation feature was disabled.
But that fix could create more headaches for the merchants that use ShopFactory, van den Berg said.
“They provided a fix for shops that are willing and able to not use cookies for returning customers. For my lunch site, though, that would mean I have to recreate my lunch order every time I visit,” van den Berg said.
According to van den Berg, further communication between Trust Factory and 3D3.com broke down when the company failed to provide the fix to Trust Factory to test, and when Klein became vague about whether the fix had been released and ShopFactory customers notified of the problem.
Still, notifying customers might be a tall task. Links from 3D3.com’s Web site to the “thousands of sites” that use ShopFactory reveals a long list of small shops and online merchants scattered across the globe and selling everything from cosmetics to wedding gifts to pets and “green living” products.
The 3D3.com Web site had no mention of the security problem Tuesday, and the support forum for both security and product upgrades were absent of any mention of Version 5.8 of ShopFactory.
Customers using ShopFactory on their Web sites are advised to upgrade to version 5.8 and to set the “Remember Shopping cart for (days)” field to zero on using the administrative interface of the product, effectively disabling that feature, according to Trust Factory.
