Someone’s determined that there’s a way to buy stuff for a very small fraction of their real price. Of course, this scheme is one of those “don’t try this at home or anywhere” stunts, for by doing so you WILL get into trouble, but unfortunately, there are those who’ll be wanting to take that risk in order to quench their greed and relish immediate gratification.
In some places, you can get a Plasma for $0.99 or a PlayStation for $0.99. That’s what Bill from Edgeblog claims, who came upon some shopping cart “features” during his studies towards a Certified Ethical Hackers Certification (learn something new everyday), exposing the secret behind some modular shopping carts — that they are built with hidden fields that pass along critical elements such as price and quantity during vulnerable moments that can be easily intercepted by unscrupulous cybercriminals or even by the clever, precocious 12 year old kid next door. Bill hit it on the head right here:
CartIt.cgi is a widely used shopping cart that stopped being developed last year. The reason this application is flawed is that it uses hidden fields within the HTML POST to submit the price and quantity when the user clicks on the add-to-cart button. Hidden fields are easy to manipulate. One of the easiest is to use a local proxy, such as Paros, to intercept the POST, effectively launching a man-in-the-middle attack. This allows you to change the price before it is submitted to the server.
The exploit described above is not unique to CartIt. There are many shopping carts that use hidden POST fields. A shopping cart should allow the user to submit the SKU and the quantity, but never the price. The price should be queried from a database.
In light of this egregious oversight, what can I say but Yowza! A PS3 for $0.99? Certainly a tempting thought to some, once they’ve figured out they CAN fudge the figures and shift that decimal point rather easily while the numbers float through the ether.
This is just the tip of the iceberg, as the cliche goes. The previous example was one showing how the business gets shafted. But it is actually just as common if not more so for the consumer to get burned.
Throughout the years, I’ve worked in various technical departments spanning a variety of industries and have been privy to some worrisome facts. That security is really not that up to par in many of these companies both small and large, where money in its most basic form and in its numerous flavors gets transmitted and stored, sliced and diced and processed from one legacy system to another, so much so that sometimes I wonder how it ever finds its way to accurate presentation for the end consumer. I’ve seen some scary things like highly secure information exposed in HTML page sources, or “accidentally” included in reports that can be easily printed out by the receptionist, who by the way is the temp of the month. When the problem gets discovered, it’s always never an intentional thing.
And how about unencrypted passwords in databases or Heavens forbid, files? Or the gold mind of all IT departments, the trusty, hefty, fully saturated log files that capture every bit of information under the sun. Would you like to venture a guess on how amazingly humanly readable or accessible these files actually are?
I’ve also had the pleasure to work at several companies that do every bit in their power to ensure the security and accuracy of yours and their data, and that do a great job with it. These companies are already known for their hard-earned, golden reputations. Nevertheless, I’ve wondered whether faulty shopping carts could be the harbinger for possible issues with larger institutional or commerce-based software applications. It sure makes me want to generalize and question what’s going on out there, making me think twice before pushing my keyboard buttons.
Maybe all this will make you curious enough to peek behind the covers once in a while to see if you really can get that digital camera for $10 or more disturbingly, whether you’ll need to keep an even closer look at your credit card statements or credit reports.
At any rate, I did find a PlayStation 3 that sold for $0.99 although it was actually due to human error.
Copyright © 2006 The Digerati Life. All Rights Reserved.
{ 7 comments… read them below or add one }
Thanks for reviewing my article! This is a great blog.
-Bill
Wow that information is a hackers dream, I have a online store, you can’t be to careful.
Thanks for the great tips, may need the Ethical Hackers Certification to keep up with all this..
I have a 21 year old son who plays war craft video game 24/7 , he does not want to work or go to school, he does not have a girlfriend, he makes every excuse not to do either, I know I am enabling him by letting him live in the house for free, I want to put him out of the house but I think he needs help, I put him in counseling but I don’t know what I need to do for this particular problem. This is so stressful and at my wit’s end, any suggestions?
Editor: Yeah, first thing is to take away all the games from your house, and probably quit blogging about games too. 😉
In some cases when you turn off javascript and add to cart you can “trick” the function and create an interesting result. for example on danielsjewelers.com you can build a mother’s ring or high school ring and right before you add to cart turn off javascript and hit the add to cart button a bunch of times. then go to the cart page and you will see that item in the car for only $1. What a deal. This works in firefox. Just build the ring w/ javascript on and then turn it off right before you add to cart. Click the crap out of it. Works.
Wow, this is like a hacker’s dream. Thanks for the info!
Well, I tried your advice, but ended up paying $299 for my PS3. Haha 🙂