Dont let shoppers name their price
Web Informant #171, 11 October 1999
You have probably heard about Priceline.com, the web site that lets those in pursuit of bargains particularly for airline tickets and hotel accommodations name their own price. While I have never been able to conclude a transaction there (guess Im too much of a cheapskate), several friends did get last-minute plane tickets and were grateful to avoid the ridiculous sums airlines charge for eleventh hour planning.
I found another way to get online bargains, though. It involves a simple hack to web shopping cart pages. All it takes is a text editor, a browser, and about five minutes of spare time. To see what I mean, go to the link below and check out the copy I made of a storefront demo, called Waynes Widget World, which is maintained by Americart.
Notice the first item has a pull-down list to specify different metal types for your widget. Choose one, and jot down the price you see on this screen. Now click on the button used to add the item to your shopping cart and note the difference between this price and what you are about to pay.
How was this done? Simple. I used Wordpad to change the price listings in this page. Then I saved the page to my hard disk (and also to my site, so you can see how I did it). Then I opened this new page inside my browser. The entire process took about five minutes. It required no cryptography experience. No social engineering (calling up people on the phone and tricking them into giving you passwords and other company confidential information). No backdoor Unix commands.
Now, I am obviously not saying that you should do this. Nor do I mean to pick on Americart plenty of other shopping cart systems can be similarly tampered with. But I do want to show you how frighteningly easy it is to make these changes, and how important it is for eCommerce proprietors to scrupulously explore all security holes not just the ones involving complex technologies like cryptography. Fraud will become a big problem as eCommerce explodes, and its essential to do what it takes to identify (and fix) the vulnerabilities in your shopping cart systems. If you use another shopping cart program and can easily edit the prices as Ive done here, consider switching to something more secure.
If you are interested in this topic, and plan to be in the Boston area this week, consider spending a day or two at the Internet Security Conference. Ive designed a full-day program on Tuesday that will address these and other eCommerce security issues. They will have presentations from several panels of experts and fellow journalists. For the details on this panel and the conference in general click here.
Copyright © 1999, 2000 media.org.
Web Informant copyright 1999 by David Strom, Inc., reprinted by permission
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.