lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed Sep 14 21:15:20 2005
From: tquinlan at capitaliq.com (Thomas Quinlan)
Subject: Exploiting an online store

________________________________

From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Josh perrymon
Sent: Wednesday, September 14, 2005 4:05 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Exploiting an online store

 

I was reading an article about an attacker that could have changed a price in
an online shopping cart-

 

Snip----

<<SNIP Reshef's $22.95 to $2.95 sploit>>

 

What are laws on this??  What if the guy did make the transaction using his
credit card? Since it is just a web transaction sending html from the client
to the server what proof would they have?  

 

Joshua Perrymon

 

IANAL, but I believe that the contract isn't formed between buyer and seller
until the purchase price is accepted on both sides and money changes hands.
The price in a store is analogous to one in a catalog - suggested, and
subject to change.  Typically, that means by the seller, but if the buyer
does it and the seller accepts the price, then it is a legal transaction.
Once the money is accepted, the seller has agreed to sell at that price, and
taken the money, making it difficult for him to suggest that he was unaware.

 

Of course, what typically happens is that the seller goes to ship the item,
and sees how much was paid, and sends a bill for the remaining balance before
the item is shipped.  Proof isn't really needed.

 

Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050914/d088072a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ