[Full-disclosure] Exploiting an online store

[Josh perrymon]

I was reading an article about an attacker that could have changed a price in an online shopping cart-   Snip----   Next, Reshef performed a little number he calls ``electronic shoplifting'': He edited the site's online order form to reduce the price of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef actually could have purchased the book for the reduced price, adding a whole new spin to Priceline.com's ``name-your-own-price'' marketing campaign. Reshef's exploits didn't require any sophisticated software or particularly detailed knowledge of computer code. ``The only thing you need is an HTML editor that comes bundled with your Netscape or Internet Explorer browser,'' he said. ``There is no magic to this.''   What are laws on this??  What if the guy did make the transaction using his credit card? Since it is just a web transaction sending html from the client to the server what proof would they have?        Joshua Perrymon

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/