Discover Business Logic Flaws: Act 3

Apr 8, 2019 9:42:07 AM By Chetan Conikee
Act 3 - The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet

Editor's note: This is the 3rd article in a seven-part series by Chetan Conikee. We will publish the series in it's entirety within the next few days. To be notified when a new article in the series is published, "Join" the community in the bottom right hand corner of this page. By joining our community, you'll receive a free download of the book "Epic Failures in DevSecOps", including Chetan's chapter, "Strategic Asymmetry – Leveling the Playing Field between Defenders and Adversaries".

Act 3 — The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet

Fast forward 2012, from my last post that enacted Citibank’s exploit from 1999.

Act 3 - Nordstroms Hack

The actors in this story are Andrew and Allen Chiu and their plot to defraud Nordstorm via a channel partner

FatWallet Inc., used to be a membership-based shopping community website that used to promote various online retailers by providing coupons and cash back incentives for purchases. Nordstorm happened to be one of their retailer partners and the Chiu brothers happened to be members of

In 2010, the criminal duo discovered a business logic flaw in Nordstorm’s e-commerce ordering system. They exploited this flaw by placing several orders that were never fulfilled (Neither were the associated merchandize shipped nor their credit card charged).

However Nordstorm’s fulfillment system continued to compensate FatWallet for each of these orders and the criminal duo received cashback credit from FatWallet.

Between January 2010 and October 2011, this dynamic duo place $23 million worth of orders on Nordstorm leading to Nordstorm paying $1.4 million worth of rebates and commissions, with more than $650,000 in fraudulent cashback payments going directly to both of them.

What are these conditions that led for this flaw to be exploited?

  1. An order should never be considered closed until fulfilled (shipped and delivered).

  2. A validation criteria should establish correlation between orderId and transactionId (received from payments processor) and dollar amount of transactionId should match the item price.

  3. Cashback should only be remitted after the item return period elapses.

  4. Cashback workflow should not be triggered as a part of the realtime transactional workflow.

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.

How can such flaws be identified and thereafter avoided?

Is there a human assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?

Yes, such a system does exist. At the series finale I will reveal how this expert system can be utilized to identify such flaws.

Until then, onto my next installment in this series.

  1. Act 1: What is a business logic flaw?
  2. Act 2: Attack like it's 1999
  3. Act 3: The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet
  4. Act 4 - Outbidding
  5. Act 5 - Pusher in Coinbase cookie
  6. Act 6 - Your data has been breached, now what?

The second part of season #1 will be released shortly after my coffee supplies are restocked.