Indiana University

Skip to:

  1. Search
  2. Breadcrumb Navigation
  3. Content
  4. Browse by Topic
  5. Services & Resources
  6. Additional Resources
  7. Multimedia News

Last modified: Wednesday, June 1, 2011

IU, Microsoft work uncovering online payment flaws earns 'best paper' at top security symposium

June 1, 2011

BLOOMINGTON, Ind. -- A research paper by Indiana University security scientists and researchers at Microsoft that drew national attention when it reported that Web stores using online third-party-payment systems like PayPal often contain logic flaws that allow malicious users to shop for free received a best paper award last week at the premier venue on computer security and electronic privacy.

Xiaofeng Wang and Rui Wang

Indiana University's XiaoFeng Wang, seated, and Rui Wang.

Print-Quality Photo

"How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores," by IU Bloomington School of Informatics and Computing (SOIC) doctoral student Rui Wang, SOIC associate professor XiaoFeng Wang and Microsoft Research's Shuo Chen and Shaz Qadeer, was awarded "Best Practical Paper" at the 32nd annual Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy.

In their 16-page paper the researchers studied the security implications introduced through the complexity of trilateral interactions among the Web client, online stores and third-party cashiers such as PayPal, Amazon Payments and Google Checkout.

In the paper, the researchers explained how a malicious shopper could purchase an item at an arbitrarily low price, shop for free after paying for one item, or even avoid payment. The researchers reported their findings to the affected companies, which then updated their vulnerable software. By analyzing the complexity in finding these types of logic flaws the team was able to gain a preliminary understanding of what was needed to improve the security assurance of the systems during development and testing processes.

The IEEE accepted about one of every 10 papers submitted for the conference and three "Best Paper" awards (Best Paper, Best Student Paper, and Best Practical Paper) were selected from the 35 accepted papers presented at the May 22-25 symposium in Oakland, Calif. Earlier this year after the research findings were initially released, the team's work was highlighted at CNN Money, MSNBC, New Scientist, Network World, CNET, and many others.

"This award is more than just a recognition of our team's work," XiaoFeng Wang said. "It is indeed a recognition of the achievement of system security research at Indiana University, as it was one of but three awards bestowed by the most prestigious venue in security."

XiaoFeng Wang, acting director of security informatics at SOIC and head of the System Security Research Lab at IU, is Rui Wang's adviser. During the summers of 2009 and 2010 Rui Wang worked at Microsoft Research's Internet Services Research Center under the supervision of report team member Shuo Chen.

The paper is available online here:

To speak with the researchers or for more information, please contact Steve Chaplin, University Communications, at 812-856-1896 or