NEWS
Ethical Hackers Spoof Buggy Sales System to Buy A MacBook For $1
2063
2017-08-29
Posted by 3utools

Apple retails its MacBooks at notoriously high rates, but hackers might have found a way to bend the system – and possibly bring the price down to a measly dollar.


Researchers from software security firm ERPScan have discovered a vulnerability in point-of-sale terminals developed by SAP and Oracle. If exploited, the flaw could grant attackers authorization to tap into the back-end system and tamper with prices and discounts for any item.


Meddling with this POS terminals, ERPScan’s Dmitry Chastuhin and Vladimir Egorov found that the system’s Xpress server suffered from a slew of missing authorization measures. What was particularly jarring about this is that, in addition to access to credit card data, it also enabled attackers to gain unfettered control over the server.


This includes the possibility to change prices and discount rates, as well as the ability to remotely start and shut down terminals.


Ethical Hackers Spoof Buggy Sales System to Buy A MacBook For $1


“Broadly speaking, it’s not a problem of SAP. Many POS systems have similar architecture and thus same vulnerabilities,” said Chastuhin.


“The connections between POS workstation and the store server lack the basics of cybersecurity – authorization procedures and encryption – and nobody cares about it. So, once an attacker is in the network, he or she gains full control of the system.”


Chastuhin and Egorov have since uploaded a proof-of-concept video to YouTube. In the clip, the researchers show how an attacker can use a $25 Raspberry Pi to acces the POS terminal backend and install malware designed to spoof the prices.


ERPScan first disclosed the vulnerability to SAP back in April this year. While the company released a patch for the bug in July, the researchers were able to exploit another flaw to perform the same attack. Following the second report, SAP has now successfully patched both vulnerabilities.


In case you happen to use SAP’s POS terminal solution, the researchers advise clients to “implement the appropriate patches (SAP Security Note 2476601 and SAP Security Note 2520064) as soon as possible to protect their business-critical assets.”


Source: thenextweb

Related Articles
Apple Silicon M1 Chip in MacBook Air Outperforms High-End 16-Inch MacBook Pro Apple Releases macOS Mojave 10.14.1 Supplemental Update for 2018 MacBook Air Super Mario Bros Playable On The Touch Bar What to Expect at Apple’s “Hello Again” Mac Event ? This Is Apple's Insanely Powerful New iMac Pro Apple Says Hidden Safari Setting Led to Flawed Apple Slashes USB-C Dongle Pricing Following MacBook Pro Backlash Please Let The 2018 MacBook Pro Look Exactly Like This