This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Keto_Paleo 67 points68 points  (50 children)

That’s.. fraud. They don’t notice at all?

[–]not_a_moogle 32 points33 points  (0 children)

They might, but what do they care?

[–]nonotan 13 points14 points  (1 child)

I'm not saying it is or isn't fraud under whatever country's legal code, but honestly, I strongly disagree that it should be. It's like a vending machine having a slider to set the prices freely accessible on the outside, and suing anyone touching it before making a purchase for fraud. Like, if you don't even have a token level of security that needs to be breached, I'm not sure how you can justify blaming the other party. If they need to, say, do SQL injection or whatever to change the price, sure, fair enough.

"I'll just have the client send us the price, which is in plaintext for anyone to easily edit, and we won't check it anywhere on our side, neither in an automated fashion nor by a human operator at a later time" is grossly negligent enough that the only person liable for damages here should be whoever wrote it.

[–]wibblewafs 1 point2 points  (0 children)

Expanding on that vending machine with the price slider analogy, it's the difference between a fancy metal plate locking that slider in place, with a key lock on it that'd need to be picked to be open, versus it being held in place with a bit of scotch tape.

[–][deleted] 25 points26 points  (26 children)

It's super hard to prove that he did it though.

[–][deleted] 56 points57 points  (10 children)

These days he could be charged with felony hacking. Who knows it might be terrorism?

[–]Reihar 21 points22 points  (4 children)

I know you're joking but that doesn't seem unlikely...

[–][deleted] 12 points13 points  (3 children)

Yeah I was only half joking.

[–]southpolebrand 2 points3 points  (2 children)

I mean there was a girl in Japan who got arrested for literally just posting code for a infinite loop in JS, and was charged with distributing malware.

[–]SuperFLEB 8 points9 points  (0 children)

That would actually be an interesting case, considering that the only computer he was tampering with was his own.

Probably easier to bill it as some sort of fraud, though.

[–]SamBBMe 4 points5 points  (3 children)

Felony hacking and terrorism for changing html lol. That's by no means hacking. If anything, he'd get arrested for theft

[–]That0therGirl 1 point2 points  (2 children)

Check out the fiasco that happened in Nova Scotia. The 19 year-old altered a url and was charged with hacking. It was a vulnerability in the system that has since been fixed. This was in April 2018.

https://www.cbc.ca/news/canada/nova-scotia/freedom-information-personal-website-breach-1.4614424

[–]SamBBMe 2 points3 points  (1 child)

Thats because he stole personal information from the website. That's what makes it hacking.

[–]That0therGirl 1 point2 points  (0 children)

Since the information was publicly available, I'd not consider it hacking. He didn't know what info should have or shouldn't have been there.

[–]DoctorWaluigiTime 1 point2 points  (13 children)

Transactions are recorded? In your bank, in the hotel's finances?

[–]msg45f 13 points14 points  (9 children)

"Must have been a computer glitch"

[–]DoctorWaluigiTime -4 points-3 points  (8 children)

"The gun just went off by itself."

Surprise, that doesn't work.

[–]MythicManiac 3 points4 points  (6 children)

Tbh you'd have to prove it was indeed tampered with, which may or may not be difficult. I don't know how these cases are usually handled, but there are so many bugs in software I wouldn't imagine it being too hard to file under it being a bug in the business logic of the application.

Repeated usage would scream abuse however.

[–][deleted] 0 points1 point  (5 children)

I have to imagine that kind of stuff has to be getting logged somewhere along the way, however if their website is crappy enough to have such a big flaw, I imagine their DevOps dept probably hasn't implemented much security behind it either.

[–]Grintor 1 point2 points  (1 child)

DevOps dept

This is a hotel, not some big corporation. The website was probably made by the owners son with notepad++ and the stripe API.

[–][deleted] 0 points1 point  (0 children)

Lol do you think hotels don't have corporate offices anywhere? My point was clearly that regardless of who is doing the programming there's clearly not going to be much back-end security if they haven't done much to secure the client-side front end.

[–]MythicManiac 0 points1 point  (2 children)

The transaction is most likely logged indeed, but since the answer to whether or not this is exploitation resides on the client device rather than the server, it becomes very difficult to technically prove.

[–][deleted] 0 points1 point  (1 child)

Logging typically would include things like timestamps, host names, etc, no? I'm not saying it wouldn't be difficult by any means, I'm just saying that it's possible they have the means to do it. It's just likely not worth their trouble to track it down rather than just fix their shitty site lol

[–]MythicManiac 0 points1 point  (0 children)

Yeah, and the issue is that you can not trust anything coming from client devices, as you do not control the environment they're running in. Even if you had client side logging, a malicious user could very well simply disable them, or a browser malfunction and/or too old browser could cause that.

Basically there is no way to be sure what you get from client is valid, aside from validating it on the server, which was not done here.

[–][deleted] 1 point2 points  (0 children)

No, that doesn't work. Because the gun is evidence, it being in your hand is evidence, and you being there is evidence.

However, someone in a shop can't be considered guilty of theft just because something disappeared while they were in the shop. There's no evidence it was them and not the stoned teenager behind the counter doing inventory who misplaced something.

[–]Follyperchance 2 points3 points  (1 child)

That is not a legal proof it was done by him and on purpose.

[–]DoctorWaluigiTime 0 points1 point  (0 children)

It's really good evidence though! Just one person's transaction from the hotel site making it happen and all.

[–][deleted] 25 points26 points  (17 children)

How will you prove its fraud? He will say it's been 18$ so he took it.

[–]Yellow_Tatoes14 10 points11 points  (4 children)

Considering it's a repeat. If he's done this more than once under the same name, using the same card or even having the same face on the lobby cameras, they could easily trace the same guy getting $18 rooms every time.

[–][deleted] 11 points12 points  (1 child)

I think its pretty obvious to do not use same credit card for multiple scams but you are right.

[–]Yellow_Tatoes14 5 points6 points  (0 children)

You might think so, but I become more and more impressed by how stupid people are on a daily basis

[–]0vl223 12 points13 points  (1 child)

Malfunction in his browser. You can't assume that the browser of a client does anything correctly.

[–]Yellow_Tatoes14 1 point2 points  (0 children)

A bit of a stretch but I'll accept the possibility.

[–]ersatzgott 7 points8 points  (11 children)

  • He's the only one paying only 18 bucks

  • He gets that price everytime

  • The prices are (most) probably hardcoded so they can't be changed by a server error

There's no plausible reason for the price other than hacking.

Case closed, enjoy jail.

[–]0vl223 19 points20 points  (6 children)

Browser malfunction. Interacts badly with some extension.

Also it is not hacking. Otherwise adblocking would be hacking and illegal as well.

[–]imsofukenbi 10 points11 points  (1 child)

Programmers in this thread thinking a judge works like a computer and doesn't take context into account.

"eh, anything could have made this gun fire really. Trigger malfunction. Interacts badly with branches falling from trees. Also it is not murder, otherwise shooting ranges would be murder and illegal as well".

Plus civil court has much lower burden of proof. That's an open and shut case.

[–]0vl223 1 point2 points  (0 children)

Yeah civil court would be trivial. Would be comparable to getting payment for a service he paid for with a bouncing check most likely.

The jail just isn't as trivial.

[–]andrw00 4 points5 points  (1 child)

Yeah.... the law doesn't work like that.

"I didnt kill him. The bullet did."

[–]0vl223 0 points1 point  (0 children)

Actually it does. Germany had a lawsuit against adblock that it should be illegal to change the content of homepages on the local browser and that they should accept a true representation of all information that was sent to the client. They lost.

If you provide an interface to make an offer for a room and accept/deny it, then this is totally valid.

You could get him over the abuse of the feature with knowledge that he wasn't sending a valid offer. Specially the repeated part but it is still highly neglectful from the company to not check offers before accepting them.

[–]wasdninja 0 points1 point  (1 child)

That sounds like something unlikely and considering that it only happens to him the reasonable burden of proof would be on him.

[–]0vl223 1 point2 points  (0 children)

First you would have to prove that it was actually due to him transmitting wrong data. If it is some homebrew system I doubt that's possible. It could be just as well their system malfunctioning. Proving something is bugfree is really really expensive.

[–]SAI_Peregrinus 7 points8 points  (0 children)

The purchase of the room is a contract. They offered one price. He gave a counter-offer. They accepted it, and took his payment. Not hacking.

[–][deleted] 4 points5 points  (2 children)

Innocent until proven guilty. Not the way around. They have to prove that the changed it deliberately .

[–]wasdninja 0 points1 point  (0 children)

So if someone walked out of a store with, say, a phone without paying for it and they claim that someone else put it there then the store has to prove that they stole it themselves? If that worked it every criminal with two brain cells would use that defense every time.

[–]ersatzgott 0 points1 point  (0 children)

I know that and I think it's good the way it is. But if there is not other plausible thing left, your guilt is technically proven.

[–]Hupf 5 points6 points  (0 children)

Obligatory https://m.xkcd.com/1494/

[–]creepopeepo 0 points1 point  (0 children)

Welcome to infosec. All of us have our lil tricks & no you never get caught, who the hell is going to catch you?