October 6, 2010: CS Security Research uncovers massive security holes in online banking and shopping sites

Update: NoTamper selected to be among the finalists for the CSAW AT&T Applied Security Research Best Paper Award Competition at NYU Poly".

with the link to the competition website below.


In the ongoing ACM Conference on Computer & Communications Security held in Chicago this week, a team of researchers from UIC's Department of Computer Science and University of Chicago will present their research that has uncovered several major security holes in online websites and open source software. The team of researchers include CS PhD. student Prithvi Bisht, CS undergraduate students Nazari Srkupsky and Radoslaw Bobrowicz, UIC CS professor Venkat Venkatakrishnan and Tim Hinrichs, a post-doctoral researcher at University of Chicago.

The class of attacks that are being studied through this effort are called web-parameter tampering attacks. These attacks are possible due to the fact that during an online session, a web site often trusts data coming from a user without additional validation, a weakness that is often exploited by malicious attackers.

Although such vulnerabilities have been known to be around for quite sometime, this research from UIC is the first systematic effort to study the problem of finding such security holes in web sites. The researchers have built a tool called NoTamper, that automatically analyzes websites to report such problems. Using NoTamper, the research team was able to find several security holes:

One serious security hole involved the online bank www.selfreliance.com, in which one of researchers had an account. Using the results from NoTamper, the team was successfully able to transfer money between two arbitrary, unrelated accounts. The bank was contacted about this vulnerability and fixed it in less than 24 hours, during which time the functionality for transferring money was disabled completely. Furthermore, Selfreliance had licensed the software that contained the vulnerability from ESP Solutions Inc, who applied a global patch for all their clients that utilized this functionality and additionally fixed similar problems in their other key product FORZA that provides online banking features.

The team also found another serious security hole in an online shopping website www.codemicro.com sells computer equipment,. Using the results from NoTamper, the team was able to shop for products with unlimited "discounts", leading to a successful checkout of a purchase valued at several hundreds of dollars only for $10. The site administrators confirmed the vulnerability and fixed it within 24 hours of receipt.

Several additional exploits were found in open source software that are used to power web sites. The research paper http://cs.uic.edu/~venkat/research/papers/NoTamper-ccs2010.pdf contains the details of the other exploits found.

Particularly noteworthy about this work is the involvement of undergraduates in the research work. Undergraduate students Skrupsky and Bobrowicz contributed many novel ideas and developed the prototype of NoTamper. This is also the third peer-reviewed paper that Prof. Venkatakrishnan has co-authored with CS undergraduate students.

The Conference on Computer and Communications Security (CCS) is ACM's flagship peer-reviewed conference in the security and privacy area. It is a highly selective venue with low acceptance rates.

This research was supported by NSF Grant CNS 0845894 and a Research Experiences for Undergraduates (REU) supplement grant.

Department of Computer Science http://www.cs.uic.edu
Center for RITES: http://www.rites.uic.edu
Prof. Venkatakrishnan: http://www.cs.uic.edu/~venkat

Copyright 2016 The Board of Trustees
of the University of Illinois.webmaster@cs.uic.edu
Helping Women Faculty Advance
Funded by NSF