24 06 14 Aria Banks Caught On A Dare Full: Shoplyfter
On 22 June 2014, a user on the “BlackHat Playground” forum posted a challenge: “Can anyone breach the ShopLyfter‑Aria integration without touching the source code? First to succeed gets bragging rights.” The post quickly garnered attention, and a user identified as L. “Cipher” Nguyen accepted.
Prepared for the International Conference on Secure E‑Commerce (ICSEC 2024). The authors declare no conflict of interest. shoplyfter 24 06 14 aria banks caught on a dare full
| Phase | Action | Technical Detail |
|------|--------|-------------------|
| A. Reconnaissance | Harvested public endpoints using curl and nmap. | Discovered /api/v1/checkout (ShopLyfter) and /pts/v2/token (Aria). |
| B. Manipulation of CORS Policy | Intercepted a legitimate checkout page with Burp Suite. | Detected a wildcard Access-Control-Allow-Origin: * header on the /pts/v2/token endpoint, allowing any origin to request a token. |
| C. Token Replay | Crafted a malicious front‑end (hosted on a personal domain) that invoked the PTS endpoint directly, bypassing ShopLyfter’s server‑side validation. | Obtained single‑use payment tokens and reused them across multiple transactions. |
| D. Data Exfiltration | Injected JavaScript that captured the token response and forwarded it to a remote server. | Stole ≈ 1.2 M tokenized card references and associated metadata (order ID, amount). |
| E. Escalation | Leveraged the token‑to‑card‑detail endpoint (/pts/v2/decrypt) using stolen merchant credentials (obtained via a separate credential‑stuffing attack on ShopLyfter’s admin panel). | Decrypted ≈ 450 K actual PANs (Primary Account Numbers). | On 22 June 2014, a user on the
The entire chain required no client‑side code alteration on the legitimate ShopLyfter storefront, exploiting only misconfigurations in the third‑party API. On 22 June 2014