Web Informant ##171, 11 October 1999:
Don't let shoppers name their price


You have probably heard about Priceline.com, the web site that lets those in pursuit of bargains -- particularly for airline tickets and hotel accommodations -- name their own price. While I have never been able to conclude a transaction there (guess I'm too much of a cheapskate), several friends did get last-minute plane tickets and were grateful to avoid the ridiculous sums airlines charge for eleventh hour planning.

I found another way to get online bargains, though. It involves a simple hack to web shopping cart pages. All it takes is a text editor, a browser, and about five minutes of spare time. To see what I mean, go check out the copy I made of a storefront demo, called Wayne's Widget World, which is maintained by Americart.

Notice the first item has a pull-down list to specify different metal types for your widget. Choose one, and jot down the price you see on this screen. Now click on the button used to add the item to your shopping cart and note the difference between this price and what you are about to pay.

How was this done? Simple. I used Wordpad to change the price listings in this page. Then I saved the page to my hard disk (and also to my site, so you can see how I did it). Then I opened this new page inside my browser. The entire process took about five minutes. It required no cryptography experience. No "social engineering" (calling up people on the phone and tricking them into giving you passwords and other company confidential information). No backdoor Unix commands.

Now, I am obviously not saying that you should do this. Nor do I mean to pick on Americart -- plenty of other shopping cart systems can be similarly tampered with. But I do want to show you how frighteningly easy it is to make these changes, and how important it is for eCommerce proprietors to scrupulously explore all security holes - not just the ones involving complex technologies like cryptography. Fraud will become a big problem as eCommerce explodes, and it's essential to do what it takes to identify (and fix) the vulnerabilities in your shopping cart systems. If you use another shopping cart program and can easily edit the prices as I've done here, consider switching to something more secure.

If you are interested in this topic, and plan to be in the Boston area this week, consider spending a day or two at the Internet Security Conference. I've designed a full-day program on Tuesday that will address these and other eCommerce security issues. There will have presentations from several panels of experts and fellow journalists.

To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 1999 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.