It was just another day at the office, closing in on lunchtime. I thought I would be going in for another routine lunch when a colleague of mine invited me over to his desk and offered me food from some of the most expensive restaurants in town. I was rather overwhelmed with the gesture and asked him what the occasion was. He replied there was none with a smirk on his face. I was quite surprised and curious and began to question him as we sat down to eat.
At the end of our lunch and conversation, I learnt about something called a ‘checksum’ function that could cost businesses heavily, if not implemented or updated correctly.
What is Checksum?
Checksum is a digit representing the sum of the correct numbers in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
According to my colleague, there are about 300 orders that are processed on a single food aggregator app, an hour. With minor manipulation on orders using a back end tool, his orders were well masked and hidden behind heavy traffic. I went on to enquiring about how long (if he was an unethical hacker) could he keep doing this without being detected. He just stated ‘forever, unless it’s fixed.’
Checksum, although used by businesses is often ignored or not taken seriously by many. Unlike my colleague (ethical hacker), there are many hackers out there who have no guilt in exploiting businesses for themselves or just for no reason at all.
Here are a few tips on how businesses can tackle this problem:
a. Firstly use a good long an unique checksum tool if you have not already implemented one.
b. Build a system with anomalies to detect these unusual transactions automatically.
c. Ensure you have proper and updated checksum functionality.
d. Incorporate manual checks to detect abnormal purchase patterns.
Businesses can afford to ignore that one meal we ate for free. However, there are many people out there who live on these manipulated transactions and the worst part, getting away without anyone even knowing about it.
Our security researchers here at Appknox are some of the industry’s best. We conduct these little hacks to ensure our clients are safe and secure. At the end of the day, we reported this particular free food bug to the concerned authorities and compensated them accordingly.
Checksum doesn’t apply to just food businesses but to any business which is transaction based. If you are concerned about your business being exploited by a simple functionality like ‘checksum’, have a little chat with our friendly in-house ethical hackers and get your app’s checksum tested (No charge).