Why buy expensive MacBook Pro when you can get it for $1? But then you will be the bad guy.
The IT security researchers at ERPScan discovered a bunch of critical vulnerabilities in SAP Point-of-Sales systems (SAP POS), a client/server point-of-sale (POS) solution allowing them to buy an expensive MacBook for just $1.
According to researchers, the vulnerabilities exist in the SAP POS Xpress Server that can be exploited to modify the price while purchasing a specific product. An attacker can also use the vulnerabilities to steal banking data including credit card details used for purchasing.
The attack is only successful if an attacker is connected from the same network that is used by the payment system. The security firm says in order to conduct the attack, a hacker needs to physically connect Raspberry Pi or similar tools (which won’t cost more than $25) to electronic scales inside a shop or carry a remote attack if the network is exposed to the Internet.
In a blog post, ERPScan researchers wrote that “Once you are in, you have unlimited control over the backend and frontend of the POS system, as the tool can upload a malicious configuration file on the SAP POS Xpress Server without any authentication procedure. New parameters are limited by hackers’ imagination: they can set special price or discount, the time the discount is valid, the conditions under which it works – for example when purchasing a specific product.”
The vulnerabilities were discovered in April this year and reported to the respective manufacture the same month.
Watch the demo video uploaded by ERPScan researchers