posted Mar 07, 2001

Tag - You're Hit
Administrative
3/7/2001; 5:31:28 PM

'An estimated one-third of all shopping cart applications at Internet retailing sites have software holes that make them vulnerable to the price switching scam, said Peggy Weigle, chief executive of Sanctum, a security software company in Santa Clara, Calif....

'Here's how it works: After choosing a product and receiving pricing information, a hacker can use a standard browser's "edit page" feature to show the hidden HTML code on the page. The thief then saves the page to his computer, alters the price information and then hits the "publish" key on the browser. In many cases, that page is then accepted by the shopping cart software - and that $999 watch becomes a $3 special.'

Speaking as a web professional who has designed and implemented some secure programs tracking millions of dollars worth of stuff... this kind of security hole is not hard to plug. In fact, with proper design, it should never be an issue. You can never trust a client any farther then you can throw them! Always check data for validity, not lack of invalidity (which is theorectically the same thing but in practice totally different).

On that topic... there are many systems vulnerable to this, not just e-commerce systems. I once tried to submit a -100000 rating on a "Are you hot or not?" site... the site seemed OK with it, didn't fire an error, but it didn't accept it either, fortunately. You can have a lot of fun with this, if you care to (which I usually don't, but the thought of giving someone a massively negative rating on one of those silly Am I Hot Or Not? sites was just too amusing to pass up).

 

Site Links

 

RSS
All Posts

 

Blogroll