14 DAY TRIAL // Buying super-expensive devices like Apple’s MacBook with just $1 is actually something that can be done due to a vulnerability in SAP POS systems, a research published by security firm ERPScan demonstrates.
The company has detailed in a YouTube video how a security flaw in the SAP POS Xpress Server can be abused to modify the price of a specific product, intercept payments, and collect financial information such as the details of a card that’s being used at a specific time.
The vulnerability resides in the SAP POS Xpress Server which handles the payments made through in-store SAP POS systems and the research shows that an attack has big chances to be successful because the implementation misses multiple authorization checks on the server side.
Patches already released
The security firm says that in order for a hacker to breach the SAP POS system, the attack must be launched from the same network that’s being used by payment solutions, so cybercriminals need to physically be in a store to be able to take advantage of the flaw. This is possible with very cheap hardware, like a Raspberry Pi and other tools that overall cost just $25.
On the other hand, if an Internet connection does exist, the attacks can be launched remotely, but only if the network is exposed to outside connections.
“Once you are in, you have unlimited control over the backend and frontend of the POS system, as the tool can upload a malicious configuration file on the SAP POS Xpress Server without any authentication procedure. New parameters are limited by hackers’ imagination: they can set special price or discount, the time the discount is valid, the conditions under which it works – for example, when purchasing a specific product,” the company explains.
On the good side, the vulnerability has already been reported to the parent company in April this year, and fixes have already been shipped to block the exploits.
