<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1919858758278392&amp;ev=PageView&amp;noscript=1">

Business Logic Flaws: The Channel Partner Attack

Jun 5, 2019 10:00:00 AM By Chetan Conikee

channel partners can provide a lucrative loophole

Editor's note: This is the third article in a seven-part series by Chetan Conikee.

Channel Partner Attack: An Example

My last post discussed Citibank’s exploit from 1999.


Act 3 - Nordstroms Hack

The actors in this story are Andrew and Allen Chiu and their plot to defraud Nordstorm via a channel partner, FatWallet.com.

FatWallet Inc., now defunct, used to be a membership-based shopping community website. The site promoted various online retailers by providing coupons and cash back incentives for purchases. Nordstorm was one of FatWallet's retailer partners. The Chiu brothers happened to be members of FatWallet.com.

In 2010, the criminal duo discovered a business logic flaw in Nordstorm’s e-commerce ordering system. They exploited this flaw by placing several orders that were never fulfilled. (The associated merchandise never shipped, nor were the credit cards charged.)

However Nordstorm’s fulfillment system continued to compensate FatWallet for each of these orders and the criminal duo received cash back credit from FatWallet.

Between January 2010 and October 2011, this dynamic duo place $23 million worth of orders on Nordstorm. Nordstorm paid $1.4 million worth of rebates and commissions, with more than $650,000 in fraudulent cash back payments going directly to both of them.

What are these conditions that led for this flaw to be exploited?

  1. An order should never be considered closed until fulfilled (shipped and delivered).

  2. A validation criteria should establish correlation between orderId and transactionId (received from payments processor) and dollar amount of transactionId should match the item price.

  3. Cash back workflow should not be triggered as a part of the realtime transactional workflow.

  4. Cashback workflow should not be triggered as a part of the realtime transactional workflow.

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.

The remaining posts will be released shortly after my coffee supplies are restocked.