[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Exploiting an online store
- To: "Josh perrymon" <perrymonj@xxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Exploiting an online store
- From: "Thomas Quinlan" <tquinlan@xxxxxxxxxxxxx>
- Date: Wed, 14 Sep 2005 16:15:04 -0400
________________________________
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Josh perrymon
Sent: Wednesday, September 14, 2005 4:05 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Exploiting an online store
I was reading an article about an attacker that could have changed a price in
an online shopping cart-
Snip----
<<SNIP Reshef's $22.95 to $2.95 sploit>>
What are laws on this?? What if the guy did make the transaction using his
credit card? Since it is just a web transaction sending html from the client
to the server what proof would they have?
Joshua Perrymon
IANAL, but I believe that the contract isn't formed between buyer and seller
until the purchase price is accepted on both sides and money changes hands.
The price in a store is analogous to one in a catalog - suggested, and
subject to change. Typically, that means by the seller, but if the buyer
does it and the seller accepts the price, then it is a legal transaction.
Once the money is accepted, the seller has agreed to sell at that price, and
taken the money, making it difficult for him to suggest that he was unaware.
Of course, what typically happens is that the seller goes to ship the item,
and sees how much was paid, and sends a bill for the remaining balance before
the item is shipped. Proof isn't really needed.
Tom
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/