"Web applications increasingly integrate third-party services," explain the researchers the motivation for their research. "The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the Internet."
They concentrated their efforts on analyzing merchant websites that accept payments through third-party cashiers such as PayPal, Amazon Payments and Google Checkout, and they came to the conclusion that merchant applications (both open source and commercial), online stores and third-party cashiers all present weak links in the security chain.
To prove their point, they effected a number of different exploits of the flaws present in their software, which resulted in them being able to buy an item for an extremely lower price than the one indicated, to continue to shop for free after having bought an item, or even to avoid paying for the items altogether.
Most of these flaws have already been patched by the affected parties, and the rest is currently being worked on, so the researchers have been free to share their exploits with the public.
They blame this security flaws on the complexity of interaction and communication between the buyer, the online seller and the third-party cashiers.
"Unfortunately, the trilateral interaction can be significantly more complicated than typical bilateral interactions between a browser and a server, as in traditional web applications, which have already been found to be fraught with subtle logic bugs," they say. "Therefore, we believe that in the presence of a malicious shopper who intends to exploit knowledge gaps between the merchant and the CaaS, it is difficult to ensure security of a CaaS-based checkout system."
One of the methods used to receive free items after paying for only one included the cloning and substitution of tokens that PayPal Express uses to uniquely identify a payment, which allowed the shopper to skip the payment step, but still convinced Buy.com of the success of the payment for the second order.
Another technique convinced the merchant that the order has been paid for through Amazon while the payment has actually been made to the shopper’s own Amazon seller account. A number of other successful methods have been described in the paper, and it's definitely worth a read to see how the exploits worked on different online stores.
All in all, it seems unlikely that some of these techniques haven't already been tried by cyber crooks - some of them aren't really that complex. The researcher say that the flaws in the software are mostly due to the fact that it was programmed to be accommodating for various payment cashiers and online merchants.