Hi All,
I have a question of ethics here… I recently discovered a loophole on a big retailer website. Basically I am able to make orders without paying anything, I've confirmed it 100% works.
Unsure as how to act here… my obvious options are:
What are your thoughts on these sort of things? I'm torn.
PS: No, I won't disclose the name of the retailer or how it works.
Ask yourself. If I were physically in the store, and I knew 100% that I could walk out with the items without getting caught, would I do it? Being on the other end of a keyboard shouldn't change your values.
Is it simple XSS methods?
If so, I'd simply report the bug. It's illegal and can result in you having to pay for the items as you agree to a contract at checkout, then edit the data and pay a different amount on PayPal/at the payment gateway, rendering the contract unpaid for in full.
If it's something where you simply are able to get the cart (technically a contract) to show up as $0, if they then honor that and send out the items you're legally in the clear, sort of. The only contract you signed in that Case would've been agreeing to terms at checkout, once they've then sent it out the contract is complete; they can't request the items back.
Over all, without stating the exact method no one here can tell you if it's legal or not. Ethically it's wrong, though I'm guilty of abusing the Telstra data "hack" posted a few months ago, so I'm not one to comment on ethics.
It's more about your second example of getting the cart to show up as 0, regardless of the article. No XSS or 'hacking' involved. Pretty simple actually.
That's in a way legal then (most likely), though still ethically wrong. Personally I wouldn't abuse it.
I abused the Telstra method, though that was still $0.50/GB, with how spread out across the country (and across lengthy periods of time) the data was/will be used, I really don't think Telstra even lost out for that - they possibly even profited.
How many PM have you received?
well, i know which website is, it is B**W lol!
If you're worried they will ban you and try to sweep it away quietly then notify them publicly. Post up the details ibn their Facebook page as a concerned customer. They will have no choice but to publicly thank you.
They will have no choice but to publicly thank you.
LOL.
You can't be that naive can you?
Have you seen what happens on the VAYA Facebook page? All the ragers get their posts deleted and banned.
Depends on the company I guess
Start your own little online store and sell those items at a bargain to Ozbargainers 😉
Post on Ozbargain
this is probably Harvey Norman building a Today Tonight case against Ozbargain
I say start buying things for charity. Xmas is around the corner and the Salvos can always use a little more :) Your user account details should change each time… Father Christmas, Rudolf, Elf Slave etc
OK Im going to go another route here.
Dont let them know who you are, ever. If you ordered something to 100% confirm it, thats theft most likely and they could charge you with it. Remember that their legal team might see this and they dont give a (profanity) if you're helping them at all, they see "someone screwed us over" or "someone is hacking our website"
So, if you report it, do it 100% anonymously to protect yourself unless they have a disclosure program, and I doubt they will.
My 2c worth, let the retailer know. If its significant for e.g. $500+ items(not $500 worth papermate pens) I reckon its important that this information is delivered personally to the right person (read: someone high up/who can take direct ownership) in the organisation, this way you achieve 2 things. Brownie points for your good deed and possibly a reward go with it. Who knows if you are working in that industry, there maybe even job opportunity in the future.
I'd avoid. It's likely a backdoor that someone knows about but either wants to see who exploits it or cannot patch it and are definitely logging. Think you're safe and anonymous? Think again.
Personally I would do this:
Visit site through a vpn/proxy, logged in through a public wifi (such as maccas), on a spare computer that is completely clean of anything of yours, preferably all programs being run through a tails USB.
Find a drop address (if the item doesn't require signing) and have all items dropped off there where you pick them up. Easy profit, no traceback to you.
If there are signing required, I would start a small shop online, charging 70% of market value through bitcoin. People would pay me, i'd purchase the product (as per method above), send it to their address. Profit.
You have a massive money making opportunity here, don't let it slide.
Sell the information to a pen-test company. They can market their services to the business with the lure of a free consult, and they have a guaranteed reveal.
Sounds like a great legal loophole
You will probably find, somewhere on the retailers terms of sale, something along the lines of:
Big Retailer reserves the right to cancel, at any time before delivery and for whatever reason, an Order that it has previously accepted. Big Retailer may do this for example, but without limitation, where:
(a) Big Retailer suppliers are unable to supply Goods that they have previously promised to supply;
(b) an event beyond Big Retailers control, such as storm, fire, flood, earthquake, terrorism, power failure, war, strike or failure of computer systems, means that Big Retailer is unable to supply the Goods within a reasonable time;
(c) Goods ordered were subject to an error on the Website, for example, in relation to a description, price or image, which was not discovered prior to the Order being accepted;
You may as well run with it (ordering something). At worst your order will be cancelled.
How did you manage to confirm it is working without going through with it?
Anyway, let the company know if you can. If they elected to do nothing after you pointed out the loop hole, then it is their fault.
Porbably going to be flamed and downvoted but ill be honest.
Depending on the company I would probably order something relatively big but not Huge ( for example I would get a new xbox and some computer parts ) and have them deliver.
Use them as normal and see if anything comes of it.
I dont believe in Karma but saying that, if its a small business I would feel bad but if its a large cooporation couldnt give a Flying F.
If something does happen, apologies, pretend you didnt realise and offer to pay.
It becomes obvious if you start ordering something every few days and not paying, but if you are a long time customer, and suddenly have a free bunch of items (in 1 transaction) you will be fine.
After 6 months if nothing happens you're probably fine to do it again.
EDIT: after reading other peoples responses I would just go with the anonymous route.
I'm not a lawyer so usual disclaimer about acting based on my advice - basically get better advice before you do.
If you discovered it accidentally you could have reported it right away as a suspected glitch. If you've done any kind of testing you're going to be in deep water. You aren't authorized to pentest the system. You could be charged under computer misuse act. I'd steer well clear of doing anything that looks like you're trying to test or exploit the system. If you've already done such, seek legal advice.
The world is full of selfish, opportunistic people. Don't be one of them.
Ex-staff member who programmed the website checkout has probably been using it to get free stuff for years :)
I don't understand what you are trying to achieve here.
There's NO WAY to make money AND close the loophole (if you're hoping they are going to compensate you with some kind of prize). Without knowing the details of the exploit coming, even anonymously, they will find you.
I lost my wallet and that idiot whom got my wallet used my credit card to purchase luxury bags, I was so pissed off and reported to the police, after a few weeks, police called me and return my wallet.
My point is regardless of the nature of your discovered loophole, there is always a possibility that can track back to you. just be careful.
You guys are so gullible. This guy is FOS. I choose option 4; get off the Internet and help mama wash your spiderman boxer shorts.
Look, Old Gerry is doing it tough enough with this damned internet shopping thing and experts trying to exploit him through buying cheaper overseas. You should give the poor bloke a break, like the government did through introducing the GST on online purchases. He's gotta live too, in his mansion.
*mansions
Just because it is a big company, it does not make it right to steal from them.
If you can let them know, that would be the best. Don't exploit the loop hole.
Lots of jelly people here
I think exploiting bugs in systems is considered a crime. Whether it may be ATM's that spit out extra money or note to coin machines that start dispensing money after its scan half your note only to spit it back out because the note you feed it failed validation because the note was torn and missing the last 10%
Double post
You should report it. It could be a criminal offence otherwise. I wouldn't risk it
I would say……
Definitely DO NOT take advantage.
Report to local police and get a reference number.
Contact the head office, there will be gatekeeper for CIO, IT Manager. Tell them you have tier 1 issue identified, quote police reference and explain it is their best interest to minimize loss and brand damage.
The world has gone overly complicated for people to do good thing at good will. You can consider making bigger noise by telling the media, if media agrees confidentiality and helps approaching top management of that corporate.
Merry fcking Christmas.
I'd probably chance my arm and use it provided nothing super shady/illegal was done to find the exploit.
People freaking out saying it's stealing…. but is there any real difference here to a pricing error… which nobody seems to have a problem taking advantage of?
In fact, most animosity is aimed at the company over not honouring them.
If there was a $1000 item with a pricing error that made it $100, everyone would jump on it, no questions asked.
-$900 per item for the company.
But if there's a $50 item that's bugged somehow and you get it for free…
-$50 per item for the company.
Just because you hand over some money for a pricing error doesn't make that any less 'stealing' than using a bug in a system to get something for free (provided it wasn't obtained illegally).
Just using that as an example - I know OP is talking potentially higher values.
without paying the item… um… that really is theft
very interesting example here Deviner
what if OP have to pay a minimal fee for the item (price error rather than loophole which leads to $0 payment)?
is it still an act of stealing?
My entire point is… they're both stealing.
But the word "stealing" is never mentioned whenever someone posts up a "price error" and a lot of the people screaming "this is stealing!" here are the same people who'd try to avail of the price error before it was fixed.
I'd probably do both, but I'm just being honest.
Ignore it. You've already tested it by making an order so reporting it could get you in trouble.
Pretty sure the precedent is to report it to the company in the following manner,
Post on Ozbargain
Have thousands of Bargainers take advantage and crash the site
You are rewarded with a popular deal badge
Company becomes very, very aware of the problem
Company issues email cancelling orders
Your popular votes are revoked.
Company finds someone who can do their job properly.
^ That's it. Follow tonka's advice.
Or send me a private msg and I'll take care of it for you.
I discovered a loophole in a bank. I abused it for 1.5 years. Didnt tell anyone. Then it got closed. But it was good times for 1.5 years. Free money. No fraud or stealing though.
no fraud or stealing??. please don't let us hang there. tell the full story.
wasn't there a 0.5c thing going on for a while, where interest calcs of 0.5c was being rounded down to the customer and the collective 0.5c was being sent to someone who knew how to take advantage of these things?
I discovered how to take out unlimited money (The max you had on the card) from travel money cards from commonwealth bank atms. The daily limit was 5k. I was easily able to get out 20k at a time. They have closed the loop now.
With 4 cards?
Dont forget the $15 fee
No with just 1 set of travel cards (Set of 2)
$15 was only for reload…. cost nothing to retrieve the money.
OH really? Didnt know that. Thought it was 5k limit per account. So you were able to use the 2nd card too. Damm.
Oh well it was fun.
How much QFF points and reward points did you get?
I think I gained about over a million QFF, 2 MBP's, two free flights to hong kong, about $3000 in cash and thousands maybe 10-20k saved in interest.
Just fyi, the bank does catch up
http://www.dailytelegraph.com.au/news/nsw/unemployed-goulbur…
http://www.smh.com.au/national/fast-money-20140803-3d2x4.htm…
The thing is those people used the banks money obviously it was fraud.
What we did is not. It's merely spending credit card money, which as long as you paid the bill at the end of the money nothing is wrong.
I visited an ATM every day for one and half years to withdraw out money, even on xmas day and xmas eve etc etc :) Worth it imo
Amen brother… end of an era :)
My mate discovered a loophole in the Virgin Australia website. Used it to get free flights (or almost free, except fuel surcharge i think?) for a year
UNLIMITED POWER
If you're worried about the fear mongering release the loophole anonymously. It is doubtful they will sue thousands of people. At worst you might get invoiced for goods you ordered which is a fair outcome.
It's completely up to you and what you are ethically comfortable with.
I was in a similar situation a few years ago, where I ended up claiming $1000 worth of items for free due to a mix up with a delivery company of items.
I felt like absolute shit, and I was a bit paranoid I'd be found out, but in the end I was comfortable with them being a large company, it not being my fault, and just my personal circumstances at the time just really needing a break. Yes, it is effectively stealing so you gotta be comfortable with admitting that to yourself.
Happened to me couple years back, someone managed to get access to my Netbank and i had sms code security at that time. they managed to port my number to theirs and logon using the netcode sms sent to my number (their number then). Took 10k and transferred it to another bank account in Sydney. I noticed something was up when my phone number died, i rang Optus and they said you just ported your number :-0 it was like a scene from a movie I tell ya.
Numerous phone calls to CBA, Police, Optus etc.. got it sorted and got my money within a month.
It's not the Bank's fault, It's mu fault for logging to Netbank through my phone, tablet, home PC, work PC etc..
Lesson learned!
Also just noticed that i was meant to post this to this page https://www.ozbargain.com.au/node/210896
Somebody help?
Just post it there again
Someone may have posted this before, but anyway…
Just because you find and use a loophole doesn't mean it's okay, as this gentleman found out when he found a loophole in an NAB ATM that allowed him to withdraw unlimited cash:
http://www.smh.com.au/national/fast-money-20140803-3d2x4.htm…
Charges have been laid
http://www.theage.com.au/victoria/gambler-who-swindled-nab-t…
So, if you find the loophole, exploit it, the business can come after you with police action. Using the loophole once is not going to attract trouble. Making a habit of it is. I know the OP isn't exploiting the loophole and just wants to know what to do with the information, but giving the info to the wrong person can mean a lot of trouble.
From a legal stand point, coming on a public forum and openly admitting to a crime is quite stupid.
You stated in your description "Basically I am able to make orders without paying anything, I've confirmed it 100% works."… this is an admission of guilt and you'd want to hope the retailer doesn't catch on to what you've done.
It doesn't matter that it's a glitch, it's still a criminal offence to steal.
Take this example, delivery guy drops off a palette of food at Woolworths out the back on the delivery dock, staff are all overly busy and somehow don't hear the dock bell. Does this mean I can just walk up and take what ever I like and it's somehow OK because it's the retailers fault… NO.
I've come to the conclusion that ozbargain should be renamed ozbogan, pretty clear it's a community that think stealing is still a form of "bargain" finding…
Poor form stereotyping bogans as theives.
Your comment is something that would be more representative of the lower education associated with bogans than the uniform criminal behavior you imply.
Over 200+ prior comments that suggest this guy should just keep doing it say otherwise.
At the moment Ipiok says Ozbargainers are theives and therefore must be bogans
You say Must be true as the Ozbargainers are theives.
I say for the statement to make sense Boguns must be theives or theives must be Bogans. Which is a self righteous and bigoted view of Bogans, and a therefore ignorant in the manner that Bogans are thought of.
Since when did Bogans become the new word for crook/felon/hoodlum etc.
ps. I call challenge on the 200+ comments there are a hell of a lot that describe it as morally/ethically wrong.
I'm guessing that hidden somewhere in all their legal mumbo jumbo would or should be a clause relating to such a possibility and stating that in any such cases the purchaser can be charged for items when it is detected. Even if such a clause does not exist, if the items purchased were worth the trouble they would at least have their solicitor draw up a letter of demand of payment and probably threaten legal action or exclusion of the person guilty of the CRIME from any further online purchases.
Taking the long term view, as we age our moral compass can change and we may recall such infractions with regret. Sometimes forcing us to reimbursing the sum in question plus interest to the aggrieved party. Even so, we still have that guilt within our mind and no amount of money can erase that. Maybe those of the Catholic persuasion can have their mind eased by going to confession, but for others it's not so easy.
Not talking from personal experience. Just chalk it down to my being an observer of life and or a prolific reader.
Just go ahead and exploit it. Obviously don't do anything stupid like order $10k worth of stuff. But just make a reasonably sized order every few weeks.
This is less a question of ethics, and more a question of responsible disclosure. The main question is whether you feel that you need to disclose the vulnerability to the "target" organisation.
There are a range of very valid reasons as to why someone would choose not the disclose vulnerabilities to a vendor. The most compelling is, oftentimes a person from the general public may be accused of "unauthorised access/misuse of computer systems" as part of vulnerability identification when they let the vendor know.
If you are professionally a security researcher/penetration tester/{sys|network} admin etc, then the likelihood of something like the above happening when reporting vulnerabilities is almost non-existent. There are many reasons behind this, the most important being credibility and attribution.
However, if you are joe-public, I would urge you to be a lot more cautious. :) Especially if it is a relatively large organisation, and you have actually exploited the vulnerability (to test it ofcourse).
Some advice if this is indeed the case:
1. Be extremely polite in your initial email. Make sure all comms are conducted in a professional and courteous manner.
2. Use a burner email account.
3. Your initial contact should contain very little technical detail. Ask to be provided the email details of the relevant technical department.
4. In your subsequent emails, provide as much information as you can about the issue. Include screenshots etc, as well as steps to replicate it. Try not to include screenshots or information where it is clearly demonstrates that you have exploited the vulnerability (try not to self-incriminate :P )
5. At no point hint at (or worse, blatantly) ask for a reward/compensation for your time. This can be legally construed as blackmail/coercion etc. Don't shoot yourself. If the organisation is not bloody minded, you'll get something out of it.
I would be very careful with disclosing this with your friends and family. Also, would highly recommend not abusing the vulnerability, as you may be in a world of pain if discovered. Unfortunately, laws around the world are an absolute clusterf**k, and in a number of occasions, a ridiculously ham-fisted approach is taken to punishments (especially as there is a disproportionate assessment of "impact").
Full Disclosure:
I work in the "industry" and have done this previously. Most of the times, all you get is a warm "thank you", but sometimes I've gotten a license key or subscription as a gesture of gratitude. :)