E-commerce Checkout API Flaw Allowed Buyers to Pay Low Prices for High-Value Items
A security researcher discovered a business logic vulnerability in an e-commerce application's checkout API that allowed products to be purchased at incorrect prices. The flaw existed because the server trusted client-supplied price values instead of recalculating them server-side based on the actual product ID. Although the request payload was encrypted, the researcher extracted the encryption key and initialization vector from the app's client-side code, enabling payload decryption and manipulation. By swapping a high-value product ID into a request while keeping the low-price field unchanged, an attacker could complete an order and receive the expensive item at a fraction of its cost. Security experts recommend that all pricing logic be enforced server-side and that client-side encryption never be treated as a substitute for proper authorization controls.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in