Exploiting an online store

["Josh perrymon" <perrymonj () networkarmor com>]

I was reading an article about an attacker that could have changed a
price in an online shopping cart-

 

Snip----

 

Next, Reshef performed a little number he calls ``electronic 
shoplifting'': He edited the site's online order form to reduce the
price 
of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef 
actually could have purchased the book for the reduced price, adding a 
whole new spin to Priceline.com's ``name-your-own-price'' marketing 
campaign. 

Reshef's exploits didn't require any sophisticated software or 
particularly detailed knowledge of computer code. ``The only thing you 
need is an HTML editor that comes bundled with your Netscape or Internet

Explorer browser,'' he said. ``There is no magic to this.'' 

 

What are laws on this??  What if the guy did make the transaction using
his credit card? Since it is just a web transaction sending html from
the client to the server what proof would they have?  

 

 

 

Joshua Perrymon

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/