By Yi Chen, former visiting Ph.D. student with the Security & Privacy in Informatics, Computing, and Engineering (SPICE) center.
A third-party payment service (aka. payment processor) such as PayPal is an Internet service that an e-commerce merchant integrates to handle the payment process between the buyer and the merchant. To financially protect the payment process, the payment service asks the merchant to fulfill certain security requirements, for example, to check the amount paid on PayPal by the buyer is indeed equal to the price asked by the merchant. Without such checks, a malicious buyer may pay less or even none but successfully check out an order on the merchant website.
The e-commerce merchant with its user-end mobile app often needs to integrate several payment services to offer customers the most payment options. The integration is complicated in practice because different payment services provide diverse APIs and SDKs. To simplify the integration, payment syndication services emerge to wrap different payment services into a uniform interface. In this architecture, the merchant just needs to interact with the syndication service, which proxies the merchant's interactions with diverse payment services and the buyers. Although offloads the merchant's work, this, however, further complicates the payment interactions among the buyer, the merchant, and different payment services. So the question here is whether the syndicator introduces new security risks, i.e., causing the security requirements asked by the payment services impossible or error-prone to fulfill in the new architecture.
In our paper, Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis, we share our discoveries of logic flaws caused by popular syndication services, affecting tens of thousands of merchants and hundreds of millions of users. Once exploited, the vulnerabilities have serious financial consequences, allowing the malicious buyer to shop at an arbitrary price or even for free. Furthermore, we provide novel techniques based on NLP to automatically discover these security flaws, which only needs to analyze the syndication documentation without touching any code. We successfully performed PoC attacks, and all flaws were acknowledged by affected syndicators and merchants.
Yi Chen, was formerly a visiting Ph.D. student with the Security & Privacy in Informatics, Computing, and Engineering (SPICE) center and now at the Institute of Information Engineering, CAS. Her research interests include mobile security, data-driven security as well as privacy.
Presented at USENIX Security '19, paper co-authors include Security & Privacy in Informatics, Computing, and Engineering (SPICE) Professors Luyi Xing, Xiaojing Liao, and XiaoFeng Wang, as well as Yue Qin of Indiana University Bloomington, and Kai Chen and Wei Zou of the Institute of Information Engineering, CAS.