Suspected site hacking - adding items to cart with $0 price

[krissato]

We have noticed activity on our site with $0 orders (no coupons used). The same user has submitted over 20 orders, each with one item, with a bogus $0 price. These items are all variable priced items. Don't know if this is significant, but the IP Address for the user indicates the user is in the country of Portugal.

I was able to log in as that user (via the admin dashboard - this is a great feature!) and the user currently has a $0 priced item in their shopping cart. Somehow the user is able to add an item to their cart and change the price to $0.

I don't think this method will work with items that do not have variable pricing, and thankfully our site has mostly fixed priced items, so only a portion of our catalog is vulnerable to this.

Any ideas how a user would be able to do this? We need to add any necessary safeguards against price hacking!

Thank you!
Kris

[deverill]

I'm guessing, but wanted to mention this.

In our Able 5.5 store we are seeing a lot of people from places outside the US trying to mung up our store by putting in bogus URLs to see if they can gain access. Instead of :http://ourstore.com/category.aspx?SID=5&Category_ID=2 we are seeing ?SID=5&Category_ID=2<some big nasty string of garbage> - I assume it is an attempt to execute code of our site is not well behaved.

Anyway, I'm thinking it is possible that if they are trying such a shotgun approach they may be putting just the right code in to make what you see happen.

Again, I'm guessing here - I'm not even on AC7 yet but it came to mind to have you check your IIS logs for that time period to see if they are trying some buffer overflow attack and that $0 product is just the side effect.

Jim

[michael.p.larsen]

Sounds like there is no server-side validation. If you are relying only on client-side validation, they could probably bypass this. If you duplicate the client-side validation on server-side, you should be okay.

[krissato]

Thank you Jim - looking at the logs helped me to track down the problem. Turns out this user added his item to the Wishlist, then from the Wishlist added the item to the cart. For variant items, when they get added to the cart from the Wishlist, the price is set to 0! So it's a bug, not a hack. Pricing is being taken from the product ($0) rather than the variant item price. Whew! Hopefully won't be too difficult for me to fix.

-Kris

[michael.p.larsen]

Wow, nice detective work!

[mazhar]

Thank you Jim - looking at the logs helped me to track down the problem. Turns out this user added his item to the Wishlist, then from the Wishlist added the item to the cart. For variant items, when they get added to the cart from the Wishlist, the price is set to 0! So it's a bug, not a hack. Pricing is being taken from the product ($0) rather than the variant item price. Whew! Hopefully won't be too difficult for me to fix.

-Kris

Which version of AbleCommerce you are using. Is it due to something custom on your website or its with standard install. I was trying to reproduce it on my local install of 7.0.4 but couldn't?

[jmestep]

Do you have a minimum price set for the products with variable pricing?

[krissato]

Thank you Judy! That was it... I didn't have minimum and maximum prices populated. Everything else seemed to function fine, so we did not populate those fields (we do a batch import from another source, so we didn't add those fields).

Now the add to cart from Wishlist has the correct pricing. We'll just have to update our product imported.

-Kris

[mazhar]

glad that its resolved and wasn't a bug