Abstract

Software as a Service (SaaS) e-commerce platforms for merchants allow individual business owners to set up their online stores without any coding, or procuring any software/hardware. Prior work has shown that the checkout flows of such e-commerce applications are vulnerable to different kinds of logic bugs such as parameter tampering or workflow bypass, with serious financial consequences, e.g., allowing “shopping for free”. In this work, we first present a list of typical operations for such platforms, showing that there are several more functionalities beyond the check-out process, which can also lead to serious security consequences. We then leverage the fact that such platforms now heavily incorporate API requests and GraphQL calls (emerging) to design a semi-automated security analysis framework. We use this framework to analyze 32 representative e-commerce platforms (including 8 open-source ones) for seven different vulnerability categories; such platform host over 10 million stores as approximated through Google dorks. We uncover several previously unknown vulnerabilities with serious consequences, e.g., allowing an attacker to takeover all stores under a platform, and listing illegal products at a victim’s store—in addition to “shopping for free” bugs, without exploiting the checkout/payment process. We found 12 platforms vulnerable to store takeover and 6 platforms vulnerable to shopping for free, affecting thousands of stores (49000+ for store takeover, and 28000+ for shopping for free, as approximated via Google dorks). We have responsibly disclosed the vulnerabilities to all affected parties: two vendors have fixed the issues and four are still working. We have also requested four CVEs (amongst the 8 open source projects), and three CVEs have been assigned.