Comments on: How to buy a 65” Plasma for $.99

By: bill

bill — Sat, 29 Mar 2008 17:29:40 +0000

Bill,

Thanks for the comment. You are of course incorrect. The problem here has nothing to do with the transport mechanism, and everything to do with the data being sent. Most shopping carts take as input from the user a SKU and a QTY. The price is calculated on the back-end. If I manipulate one of these fields, all I get is a different product or a different quantity. No big deal.

With Cartit, the price is also sent from the client to the server, and can be manipulated. Unless you have some other mechanism on the back-end that re-validates the price, the changed value will be accepted. Transporting this over SSL would have no effect, because I change the value on my side before I send it.

Thanks for stopping by and reading my article!

-Bill

By: Bill

Bill — Thu, 27 Mar 2008 17:16:18 +0000

This is a perfect example of the uneducated telling a story without any facts- fact is man-in-the-middle have been around a long time and if CartIt is insecure, then so is Paypal and any other form-based cart. This “exploit” is trivial and simply not likely to ever get past any small merchant running cartit. Data tampering in such a way as this would be simple theft. CartIt is secure so you’ve proved nothing except that someone could manipulate the price. They could also manipulate any other form field data as well. Considering the number of fraud orders the average online merchant gets each day, this would be trivial to catch. What is disgraceful is your characterization of a host being bad because they support a cart? So do the same to PayPal- why not? An easy way around this would be to install cartit.cgi to an SSL URL and make all posts to the cart via SSL. EASY but SLOW.

By: Anonymous

Anonymous — Tue, 27 Feb 2007 22:22:47 +0000

Very informative site. Good job.

By: Dan

Dan — Wed, 24 Jan 2007 22:56:04 +0000

Calling CartIt and other carts like it insecure because it allows the hidden field is incorrect. It is not insecure for this reason. The reason for allowing such is to not depend on a shopping cart’s ability to present a product page the way the merchant wants. CartIt, like most like it, allows the merchant to create a way to check this price and verify that it is valid (though most don’t use it).

CartIt merchants are small merchants. They typically only have one or two people working for them. They usually will catch pricing information that is wrong because they hand process each of the orders.

As for the checking the referring URL. CartIt can check for this, but blame companies like Symantec and ZoneLabs for this not being enabled. Because they find that sending a referring URL is a privacy violation, these products, by default, block the sending of the referring URL.

By: Mike

Mike — Thu, 28 Dec 2006 23:38:20 +0000

Interesting story, you should have posted more text when you dropped a link on my forum though. I nearly deleted it as spam.
Anyway I dugg this and your Added to my Digg Army.
I will let you know when we have gathered some more troops then we can get digging.

By: me

me — Tue, 21 Nov 2006 10:07:35 +0000

It just annoys me this even exists these days - it is disgraceful that the product is in such wide circulation still

By: How to Buy a 65″ Plasma for $.99 « Paul´s Blog

How to Buy a 65″ Plasma for $.99 « Paul´s Blog — Fri, 17 Nov 2006 17:38:48 +0000

[...] read more | digg story [...]

By: Anon

Anon — Thu, 16 Nov 2006 03:27:36 +0000

AMATEUR Lawyer…..don’t relly on this !
—————————
Advertisement is an offer to treat.
Customers Order is an Offer to buy at a price (usualy matching the advertised price)
Acceptance comes from the shops end when they ring up the purchase

Offer + Acceptance = Contract.
———————————————–

AFAIK it is legal to make an offer of any amount regardless of the price on the shelf or the web site.

Walking into a shop and offering 99c for a TV is legal (You would expect the shop clerk to refuse your offer in that case)
If a shop is stupid enough to automate a process that accepts any offer you make then that’s their problem.

By: ex-FBI

ex-FBI — Thu, 16 Nov 2006 01:39:18 +0000

+ more

To all store owners, get a proper shopping cart which which does not have such a serious vulnerability.

Its probably time consuming to filter out all the orders that came through in the last couple of days from kiddies using their parents credit cards so ensure you have a deterrent in place on the main page or checkout page, if you are unable to secure the shopping cart software. A simple, “alterations of prices is fraud” on the final checkout page would weed out 90% of these sorts of transactions.

By: ex-FBI

ex-FBI — Thu, 16 Nov 2006 01:35:42 +0000

I’ve worked in the computer crimes division for the FBI for several years. These days I’m a private investigator with a major banking corporation.

Firstly, there is no actual ‘crime’ unless the goods were shipped out. If the transaction was cancelled by the store owner, then it was never actually completed, so no ‘contract’ was entered into to be defrauded - hence, no case for wire fraud. Wire fraud needs to be proven by hard evidence in any case. The plaintiff would have to prove that their computers and server was compromised and that the user actually benefitted from the transaction by receiving the goods.

Again, no loss, and no evidence of loss so no prosecution. The only thing the store owner would be doing is wasting the FBI’s time and hindering their chances of a good and solid investigation regarding a real fraudulent crime in the future.