Case Files: The dynamic duo Andrew and Allen exploit Nordstrom with their FatWallet

Fast forward 2012, from my last post that enacted Citibank’s exploit from 1999.

The actors in this story are Andrew and Allen Chiu and their plot to defraud Nordstorm via a channel partner

FatWallet Inc. used to be a membership-based shopping community website that used to promote various online retailers by providing coupons and cashback incentives for purchases. Nordstrom was one of its retailer partners.

In 2010, the criminal duo discovered a business logic flaw in Nordstorm’s e-commerce ordering system. They exploited this flaw by placing several orders that were never fulfilled (neither were the associated merchandise shipped nor their credit card charged).

However, Nordstorm’s fulfillment system continued to compensate FatWallet for each of these orders and the criminal duo received cashback credit from FatWallet.

Between January 2010 and October 2011, this dynamic duo placed $23 million worth of orders on Nordstorm leading to Nordstorm paying $1.4 million worth of rebates and commissions, with more than $650,000 in fraudulent cashback payments going directly to both of them.

What are these conditions that led to this flaw to be exploited?

  1. An order should never be considered closed until fulfilled (shipped and delivered).
  2. Validation criteria should establish a correlation between orderId and transactionId (received from payments processor) and dollar amount of transactionId should match the item price.
  3. Cashback should only be remitted after the item return period elapses.
  4. Cashback workflow should not be triggered as a part of the realtime transactional workflow.

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.

How can such flaws be identified and thereafter avoided?

Is there a human-assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?

Yes, such a system does exist. ShiftLeft’s Ocular is a platform built over the foundational Code Property Graph that is uniquely positioned to deliver a specification model to query for vulnerable conditions, business logic flaws and insider attacks that might exist in your application’s codebase.

To request a free trial and demo, please signup at

Case Files: The dynamic duo Andrew and Allen exploit Nordstrom with their FatWallet was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: