Join 3,572 readers in helping fund MetaFilter (Hide)


ever wish those new laptops were a little cheaper?
March 21, 2001 9:14 AM   Subscribe

ever wish those new laptops were a little cheaper? hackers have found a simple way of changing the prices on e-commerce sites and then submitting a purchase order with the new price...all in the "edit page" feature of your browser... suddenly network security is not the only thing to be aware of with online transactions.
posted by zerotype (29 comments total)

 
hmm. It's pretty trivial to disallow any form submits that don't have a referrer from the site they originated from (example: I could add one tiny line of code that would make it impossible for you to submit metafilter comments from a page saved and modified on your desktop). It's fairly standard stuff, are some e-commerce sites not doing it?
posted by mathowie at 9:19 AM on March 21, 2001


When I first read this in IntWeak last week, my first thought was "Could I get away with this?" And I'm annoyed that the article doesn't really bother to say whether or not you could get arrested for doing it. I don't think they should be able to prosecute; if someone is stupid enough to sell you a $1500 laptop for $1.50, that's their problem, not yours. But whether they should and whether they can are two different things in this world.
posted by aaron at 9:31 AM on March 21, 2001


Matt, it would be trivial to fake the referer (sic). It's been shown time and again that you have to check the validity of form fields on the server side. Anyone who can use telnet can screw you if you don't.
It's not like this is a new epidemic.
posted by sonofsamiam at 9:35 AM on March 21, 2001


Mathowie: That's not the point. The shopping carts should store only the item ids, and not the prices in their hidden fields and access the item prices from their database when calculating the total or tax or whatever.
posted by lacal at 9:35 AM on March 21, 2001


sonofsamiam: Mathowie is talking about checking on the server side. What are you talking about? What's the telnet hack you allude to?
posted by ericost at 9:45 AM on March 21, 2001


No hack. The referer is passed to the server from the browser, it's produced entirely with your browser. You can dial in to port 80, and do something like:

GET /file.htm\n
Referer: /index.html\n
User-Agent: An_unethical_telnetter\n
\n\n

When I said "check on the server side" I was referring to the way many sites will check form field validity with just javascript, or not at all. lacal is dead-on, the program should accept only the bare minimum required info from the user, and should validate it all.
posted by sonofsamiam at 10:13 AM on March 21, 2001


There are actually sites that use hidden fields for item prices? Gads, it didn't take me any time at all to figure out that was a bad idea when I designed a shopping cart system five years ago.
posted by kindall at 10:17 AM on March 21, 2001


Old news really (can't find the link, but I'm sure this was on The Reg a few months ago), but I can't believe people haven't wised up yet.

For those that care, the real secret is to digitally sign all the important details submitted back to the website to complete the order (or keep the price in a database and only pass the product id from page to page).
posted by flimjam at 10:28 AM on March 21, 2001


hmm. It's pretty trivial to disallow any form submits that don't have a referrer from the site they originated from (example: I could add one tiny line of code that would make it impossible for you to submit metafilter comments from a page saved and modified on your desktop). It's fairly standard stuff, are some e-commerce sites not doing it?


If that was the only way to do it, one could easily write a program to fake the Referrer page sent by the browser. When you design an ecommerce site, there's one rule that you can stick by: never trust the client. Don't put things in a form field that you don't want the client to be able to choose, like price. Give the product an id, and keep the prices in some sort of database, and calculate the prices server side. If you don't do that, you're opening up a rather large can of whoop-ass.
posted by mfbridges at 10:49 AM on March 21, 2001


When I see what other programmers get away with, I still can't comprehend how, as a good *and* smart programmer, I'm not making a couple hundred thousand a year.
posted by jdiaz at 11:28 AM on March 21, 2001


I'd like to also re-emphasize the "validate" part: Not only should you take as little information from the client as possible, but your server-side software should account for all possible values for all used keys, not to mention properly ignoring keys you're not using.

That is, if your item ID is a 6-digit number, make sure your server software responds appropriately when the item ID is a 256-character string of garbage. Or worse, a section of a SQL query. Validate validate validate.

It's too obvious to be believed, it seems, that any substantial e-commerce site would have such loopholes. I continue to assume that the Egghead case was probably a much more complicated hack (like feeding disperate item and auction IDs, not straight prices-- still a stupid move, but not as dumb as asking the client to name their price in the form data). Though there are too many underqualified people designing shopping carts, so no doubt there are some with obvious holes...
posted by dan_of_brainlog at 2:00 PM on March 21, 2001


Geez. "Don't trust the client" has only been an extremely well known rule of client-server systems design for what, thirty or forty years now? Who are these people, anyway?

No kidding, jdiaz... but software quality has been irrelevant since Microsoft achieved ascendancy, so I think the inability to write code that doesn't suck has actually become an advantage.

-Mars, grumpy pissed-off programmer
posted by Mars Saxman at 2:03 PM on March 21, 2001


It's also a good idea to encrypt all ids you send to the client.

create table keys ( key varchar(128), guid varchar(40))

create the guid and the key every time a user logs in, store the guid in a cookie, use the guid to access the key. Add layers of obfuscation as deemed appropriate.

It's a little bit of a performance hit, but a bit of a performance hit reflects on your company much much better than the press release that discusses how you've been duped for a few grand by a black hat who's bought o'reilly's http with perl book. Whatever it is that's called. HTTP Client Programming with Perl perhaps.
posted by cCranium at 2:04 PM on March 21, 2001


Here's another scam that I don't endorse and have never done. Download the html from an e-commerce site where you actually intend to buy a product. Modify the price in your local copy. Then re-type the actual URL over your local path in the Address area and Alt-Prnt Scrn it. Save the modified copy as a gif. This establihes the context of the page as actually being from their server.

Order the product and as soon as you get the confirmation, email (and/or call) and complain about the difference. Accuse bait and switch. Usually the company will give you a discount of sorts (within reason).

Like I said, I don't endorse this. It is illegal. It is fraud. You will be incarcerated if you are caught doing this. DON'T do this. I bet it would work, though.
posted by internook at 2:59 PM on March 21, 2001


So is this price changing thing (not the deal with the screenshot) illegal? It seems like extreme negligence on the seller's part and they should have to deal with it, but I wouldn't want to risk it if I didn't know the possible consequences.
posted by stopgap at 4:14 PM on March 21, 2001


...if someone is stupid enough to sell you a $1500 laptop for $1.50, that's their problem, not yours.

Interesting ethics! So if I invite you over for dinner, and I'm stupid enough to leave my wallet on the coffee table, it's okay for you to take it?
posted by grumblebee at 6:56 PM on March 21, 2001


internook: the only snag i see with that idea is that, in IE, the little "paper with an 'e'" icon disappears. but it would be a trivial photoshop trick to edit that.
posted by pnevares at 9:05 PM on March 21, 2001


Interesting ethics! So if I invite you over for dinner, and I'm stupid enough to leave my wallet on the coffee table, it's okay for you to take it?

Man I was seriously feeling emboldened until you came along and wrote that grumblebee! I was beginning to formulate a whole new ethical philosophy as I continued reading. One where I began to qualify the fantasy of a life of crime with the endorsement of the moral high ground.

In other words, you're exactly right. But what a titillating temptation it all was while it lasted.
posted by crasspastor at 10:17 PM on March 21, 2001


I've heard that there are (or at least there were a few months ago) some sites out there that are even easier to mess with than the way described in the article. When you buy something, the order is placed with a "&price=59.99" string at the end of the URL. All you have to do is manually type in your own price and submit that URL instead of the real one. You don't even have to edit the page!

I doubt very many of the businesses that were doing that are still around, though.
posted by Potsy at 1:34 AM on March 22, 2001


Interesting ethics! So if I invite you over for dinner, and I'm stupid enough to leave my wallet on the coffee table, it's okay for you to take it?

Let's be accurate, here.

If someone leaves a folding table in their front yard, with a bunch of computer components on it with no price tags, and goes on a 4 hour drive in midday -- which is a much more accurate analogy than the one you chose -- are people driving past really being immoral or unethical to take things off the table?

Where, precisely, does the onus change hands?
posted by baylink at 9:45 AM on March 22, 2001


They're certainly being unethical. Taking someone from someone's property is a pretty unethical thing to do, regardless.

Sure, it's bone-headed stupid on the part of the owner (or the site programmer in this situation) but that doesn't make it ethical.
posted by cCranium at 9:56 AM on March 22, 2001


baylink, that analogy's no good. A table with junk on it by the side of the road sort of implies that the stuff is trash or free. An e-commerce (shudder, I'm sorry I said it) site doesn't give off that vibe.
posted by sonofsamiam at 9:58 AM on March 22, 2001


Better analogy: you go to an e-commerce site, and notice that the price is easily modified via the URL, or a hidden FORM tag. You go ahead and change the price to something ridiculously low.
posted by hijinx at 10:20 AM on March 22, 2001


Perhaps a more apt analogy would be you go to a yard sale, see an item there, and make a counter offer. The seller agrees to the price, and sells you the product at that price. Simple enough.

Hey, I'm no lawyer, but if the server accepts the transaction and even gives you a reciept, they should have to honor the price you offered.
posted by snakey at 12:46 PM on March 22, 2001


Come on, changing the price of an item at an e-commerce site is no more legal or ethical than altering a price tag at a physical store. You may get away with it, but it doesn't make it right.
posted by Aaaugh! at 2:34 PM on March 22, 2001


What Aaaugh! said -- this is exactly like switching price tags and hoping the sales clerk doesn't notice that the $60 cashmere sweater you're buying shouldn't cost $19. If you pull that, you may get arrested (or you may get away with it), because it's fraud.
posted by dhartung at 3:55 PM on March 22, 2001


I like the haggling analogy better. After all, the site requires the consumer to send back a price for the item. If I want to haggle, I should have that right. Like matthowie sez, there are obvious ways to verify the price on the server side. So it isn't as though the seller doesn't have the option of refusing a counter offer -- even if it's only with a server error.

If you ask me, what we have is a case of the seller accepting an offer without actually looking at the price the buyer has offered. Whereas you'd probably train a clerk to look at the price tag before entering it in the register, the coder here was too lazy/stupid to have the server do the same thing.

The seller took a hit by making an ill-advised sale? I say tough beans. But then, the dotcoms always screw me on the shipping anyway, so I love to watch 'em squirm.
posted by snakey at 4:53 PM on March 22, 2001


erm -- the cash register analogy is silly. It's more like the car salesman selling the car for way less than he should have. Yeah, that's it.
posted by snakey at 5:00 PM on March 22, 2001


Sorry, but the ethics here seem VERY simple to me:

If you take something that you KNOW (or strongly suspect) the owner wants to keep, you're stealing.

If you buy something for less than the price you KNOW (or strongly suspect) the owner intended to charge, you're stealing.

I've seen mismarked items in stores before, and I've bought them for the lower price. So I'm not claiming moral superiority over anyone here. But when I did this, I KNEW I was stealing.

If you think it's okay to steal from studid people, that's pretty scary.

If someone leaves a folding table in their front yard, with a bunch of computer components on it with no price tags, and goes on a 4 hour drive in midday -- which is a much more accurate analogy than the one you chose -- are people driving past really being immoral or unethical to take things off the table?

If you were one of the "people driving past", would you feel comfortable leaving a note that said, "I took some stuff off this table. My address is XXXX and my phone number is YYYYY."? If not, why not?
posted by grumblebee at 3:59 PM on March 24, 2001


« Older a white man speaking black truths...   |   VA governor changes Confederat... Newer »


This thread has been archived and is closed to new comments