Checksum importance is often ignored by many businesses until one day it strikes (which is not often) that revenues don't match sales. Here's a little story of how I managed to get some free food with an improper checksum functionality and how I could continue to get free food if I wanted to.
It was just another day at the office, closing in on lunchtime. I thought I would be going in for another routine lunch when a colleague of mine invited me over to his desk and offered me food from some of the most expensive restaurants in town. I was rather overwhelmed by the gesture and asked him what the occasion was. He replied there was none with a smirk on his face. I was quite surprised and curious and began to question him as we sat down to eat.
At the end of our lunch and conversation, I learned about something called a ‘checksum’ function that could cost businesses heavily, if not implemented or updated correctly.
What is a checksum and the importance of a checksum...
The checksum is a digit representing the sum of the correct numbers in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
According to my colleague, there are about 300 orders that are processed on a single food aggregator app, in an hour. With minor manipulation of orders using a back-end tool, his orders were well-masked and hidden behind heavy traffic. I went on to inquire about how long (if he was an unethical hacker) could he keep doing this without being detected. He just stated ‘forever, unless it’s fixed.'
The importance of the Checksum tool is often ignored or not taken seriously by most businesses although this is a very common functionality used by most. Unlike my colleague (ethical hacker), there are many hackers out there who have no guilt in exploiting businesses for themselves or just for no reason at all.
Here are a few tips from where you can start to tackle these problems:
a. Firstly use a good long and unique checksum tool if you have not already implemented one.
b. Build a system with anomalies to detect these unusual transactions automatically.
c. Ensure you have proper and updated checksum functionality.
d. Incorporate manual checks to detect abnormal purchase patterns.
Businesses can afford to ignore that one meal we ate for free. However, there are many people out there who live on these manipulated transactions, and the worst part, getting away without anyone even knowing about it.
Our security researchers here at Appknox are some of the industry’s best for mobile app security testing. We conduct these little hacks to ensure our clients are safe and secure. At the end of the day, we reported this particular free food bug to the concerned authorities and compensated them accordingly.
Checksum doesn't apply to just food businesses but to any business which is transaction based. If you are concerned about your business being exploited by a simple yet intricate functionality like ‘checksum’, have a little chat with our friendly in-house ethical hackers and get your app’s checksum tested (No charge, No hidden costs).
Related post- How Improper Checksum Got Us Free Food - Part II