Name your own price on dental products
- go to http://www.dentist.net
- find the product you want
- enter in address bar:
javascript:void(document.onmousedown=ra) - firefox web developer toolbar:
Forms | Display Form Details
Forms | Make Form Fields Writable - edit text input named ‘price‘.
click ‘add to cart’ button - laugh
Of course, I would not really proceed through checkout with any cart created inappropriately, but it was fun to play with a little bit.
Ordinarily, I’d contact a company to let them know about a gaping security hole like this, but…
- I’m still bitter about them crippling my browser
- My blogs don’t have very many readers
- I’m confident that they would catch even the slightest modified order parameters, because, “We are Fraud Smart and pursue fraudulent orders to the full extent of the law.” (from checkout page)
subscribe to entries feed
July 18th, 2006 at 10:29 am
Gotta love those security holes. I had a similar issue with trying to buy a gift certificate from Archie McPhee’s store. Check out their gift certificate page:
http://www.mcphee.com/info/gc.html
NO SSL WHATSOEVER. I contacted them and said they lost business from me because of it (I’m not about to put my credit card info out into the open). They emailed me back and tried to say I was mistaken about the lack of security on that page. The funniest part was that their IT guy was trying to convince me that it was secure. Excerpt from his email follows:
“the gc buy page is NOT secure, in that it doesn’t use SSL, but in this
case it doesn’t matter. this particular page kicks off a script on the
server which then transfers the information to us via an encrypted email.
no credit card information is ever passed on via HTTP, therefore the SSL
certificate doesn’t come into play. A sniffer would have to be running on
our actual server, since no internet traffic is generated by the form
post. In fact, the gc.html page does not even touch the cookie.”
I love the horrendously flawed logic behind that claim. The sad thing is that I’m guessing many folks use the gift certificate form without realizing their credit card information is out in the open for the taking. And I *love* Archie McPhee’s products (they make cool novelties like the Jesus Bobblehead and bandaids that look like strips of bacon), so it is all rather unfortunate.