Trusting user input WTF
-
https://secure.messagemail.co.uk/secure/virtual_reception_order_form.html
This webpage permits you to edit the values of the total payable field. It's not just an empty container for displaying text: the value gets passed back to the server when you submit the form.
Hopefully they just ignore this value and calculate the true total from scratch, based on which payment option the user has chosen. But this website wouldn't exist if everyone was sensible..
-
If you look at the source the fields have names in the format xxxx_text. This leads me to believe that these boxes are used purely for displaying dynamic values to the user (since they change whenever you select different things). Not the greatest UI ever, but I don't believe they have the security flaw you imagine.
-
They probably just didn't realize/care that they could change the content of things besides textboxes.
-
Where is the WTF? I have seen a lot of pages that calculate the price with Javascript before sending it (via AJAX or in a hidden field) to an external payment service.
Not that this is good, but the average website is just insecure, and they usually notice when you have cheated, and they have your delivery address to complain to (or not deliver to if they notice it early enough).
-
@mihi said:
Not that this is good, but the average website is just insecure,
Because of you.
Seriously. Stop defending this sort of junk.
-
@mihi said:
they usually notice when you have cheated, and they have your delivery address to complain to (or not deliver to if they notice it early enough)
Not that it would do any good. In all the cases of this I've heard of in the US, it was decided that the vendor had to provide the good at the price submitted. They really should know better.Even in Taiwan, this kind of thing has been enforced.
-
@belgariontheking said:
@mihi said:
they usually notice when you have cheated, and they have your delivery address to complain to (or not deliver to if they notice it early enough)
Not that it would do any good. In all the cases of this I've heard of in the US, it was decided that the vendor had to provide the good at the price submitted. They really should know better.Even in Taiwan, this kind of thing has been enforced.
Surely though it's price offered. Submitted is a tech term not a retail one. This would be more like me going into a store, crossing out a price tag with a crayon and writing my own value on it. Not quite the same.
-
@LoztInSpace said:
@belgariontheking said:
Not so. In these cases (not the Dell mistakes), the user fudges the price and the vendor's system processes it as such. It would be like you going into a store with a crayon, writing your own price, and the system scanning your price at the register, you paying for it, and leaving with your newly purchased good.@mihi said:
Surely though it's price offered. Submitted is a tech term not a retail one. This would be more like me going into a store, crossing out a price tag with a crayon and writing my own value on it. Not quite the same.they usually notice when you have cheated, and they have your delivery address to complain to (or not deliver to if they notice it early enough)
Not that it would do any good. In all the cases of this I've heard of in the US, it was decided that the vendor had to provide the good at the price submitted. They really should know better.Even in Taiwan, this kind of thing has been enforced.
There was a case (I don't have a link -- the story's quite old) where an airline was using hidden form fields to hold the price on the page. Crafty users changed the field value and submitted it. The courts ruled that the airline had to provide the ticket at the submitted price. They learned pretty quickly and really, they should know better.
-
@belgariontheking said:
There was a case (I don't have a link -- the story's quite old) where an airline was using hidden form fields to hold the price on the page. Crafty users changed the field value and submitted it. The courts ruled that the airline had to provide the ticket at the submitted price. They learned pretty quickly and really, they should know better.
A story that is a somewhat related is that in Australia the other week, there was a bricks and mortar store that screwed up the advertised price of a flat screen TV ($500 instead of $2800 or some what - I think the error was that the discount got advertised as the actual price). But from what I understand they are not compelled to provide the TV at that price as it was only an offer to enter into negotiations. The potential buyer would then offer up the amount of money that they wished to pay, and it was up to the store to decide if they wanted to accept the buyers offer.
However it starts to get murky as there was an online component as well, and I believe that some people managed to complete an online transaction for the discounted price. I am not sure if doing so implies acceptance of the offer by the store. But I do believe that the transactions were refunded.
-
@OzPeter said:
@belgariontheking said:
There was a case (I don't have a link -- the story's quite old) where an airline was using hidden form fields to hold the price on the page. Crafty users changed the field value and submitted it. The courts ruled that the airline had to provide the ticket at the submitted price. They learned pretty quickly and really, they should know better.
A story that is a somewhat related is that in Australia the other week, there was a bricks and mortar store that screwed up the advertised price of a flat screen TV ($500 instead of $2800 or some what - I think the error was that the discount got advertised as the actual price). But from what I understand they are not compelled to provide the TV at that price as it was only an offer to enter into negotiations. The potential buyer would then offer up the amount of money that they wished to pay, and it was up to the store to decide if they wanted to accept the buyers offer.
However it starts to get murky as there was an online component as well, and I believe that some people managed to complete an online transaction for the discounted price. I am not sure if doing so implies acceptance of the offer by the store. But I do believe that the transactions were refunded.
What bothers me about this whole concept is that even if the retailer has to provide it at the advertised price, it's still such a jackass thing to do. I mean, clearly the store made a mistake on the price and I don't think there's anything wrong with hoping the deal is intentional and going for it. What sucks is when customers demand that they should get the good or service at the price mistakenly advertised. It was a mistake and any reasonable person can see that. The customer is trying to get something for nothing and to exploit someone else's mistake for their own benefit. How selfish and petty are people? Maybe Best Buy or Wal-Mart should adopt a policy of shortchanging customers and only giving correct change if called on it. They can profit off the old ladies who mistakenly give a $50 when they mean to give a $20!
-
@morbiuswilters said:
Maybe Best Buy or Wal-Mart should adopt a policy of shortchanging customers and only giving correct change if called on it. They can profit off the old ladies who mistakenly give a $50 when they mean to give a $20!
Don't tempt these people.
-
@Sloloem said:
Don't tempt these people.
blah, blah, capitalist pigs, blah, blah, fascists, blah, blah blah
-
@tster said:
@Sloloem said:
Don't tempt these people.
blah, blah, capitalist pigs, blah, blah, fascists, blah, blah blah
Their greed for money is destroying the healthcare system! They are trying to kill us because they are racist!
-
@OzPeter said:
@belgariontheking said:
There was a case (I don't have a link -- the story's quite old) where an airline was using hidden form fields to hold the price on the page. Crafty users changed the field value and submitted it. The courts ruled that the airline had to provide the ticket at the submitted price. They learned pretty quickly and really, they should know better.
A story that is a somewhat related is that in Australia the other week, there was a bricks and mortar store that screwed up the advertised price of a flat screen TV ($500 instead of $2800 or some what - I think the error was that the discount got advertised as the actual price). But from what I understand they are not compelled to provide the TV at that price as it was only an offer to enter into negotiations. The potential buyer would then offer up the amount of money that they wished to pay, and it was up to the store to decide if they wanted to accept the buyers offer.
However it starts to get murky as there was an online component as well, and I believe that some people managed to complete an online transaction for the discounted price. I am not sure if doing so implies acceptance of the offer by the store. But I do believe that the transactions were refunded.
I'm pretty sure that stores are NOT compelled to sell at a price if they make a mistake advertising - I've seen corrections in supermarkets where mistakes were made in the weekly specials. I've seen "rain checks" offered for out of stock sale items, but I'm not sure if this is compulsory or stores just do it to make their customers happy....
-
@ogilmor said:
I'm pretty sure that stores are NOT compelled to sell at a price if they make a mistake advertising - I've seen corrections in supermarkets where mistakes were made in the weekly specials. I've seen "rain checks" offered for out of stock sale items, but I'm not sure if this is compulsory or stores just do it to make their customers happy....
This is usually governed by state law, IIRC.
-
@morbiuswilters said:
@ogilmor said:
I'm pretty sure that stores are NOT compelled to sell at a price if they make a mistake advertising - I've seen corrections in supermarkets where mistakes were made in the weekly specials. I've seen "rain checks" offered for out of stock sale items, but I'm not sure if this is compulsory or stores just do it to make their customers happy....
This is usually governed by state law, IIRC.
And a lot of ad's state that the sale is limited to quantities on hand and/or no rainchecks will be issued. That's the typical wording that allows them to avoid having to provide rainchecks. It's normally in very small print somewhere on the page but they just have to include it to be covered.
In most advertising flyers that I see there's also a disclaimer that they are not responsible for misprints in the ads. That way if the layout person forgets a number or transposes a couple of prices or some text the store isn't on the hook for it.
Think about it. If you wanted to sell your car and you submitted an ad request to the paper saying it's for sale for $10,000 and they printed it as $1,000, would you want to required to sell it for that amount?
Here it depends a lot on whether this was an honest mistake on someone's part or if the merchant did it intentionally just to get people into the store. Since the negative publicity isn't worth it, I imagine it was an honest mistake so while the customer may not be happy, that's not enough to force the store to sell at such a big loss.
-
@sabbott64 said:
Here it depends a lot on whether this was an honest mistake on someone's part or if the merchant did it intentionally just to get people into the store.
Yes. And generally, if it goes to court, I think a major part of the decision rests on just how far off the price was from the list price or any semblance of fair market value. If the ad says $50 and you wanted $65, you could be in trouble. On the other hand, if the ad says $50 and the product costs $5000 wholesale, a judge will usually conclude that a "reasonable person" would/should realize that it's a misprint. It's sort of like how the libel/slander laws permit satire on the basis that no reasonable person would interpret it as intending to be a statement of fact.
This also happens all the time on car sites like autotrader. Idiot dealers put a monthly payment as the asking price. I don't think there's any way to legally bind them to that price, even though some of them probably make the "mistake" on purpose.
When it comes to advertising, consumer protection laws don't extend much further than outright fraud. Anything that happens after purchase though, you can pretty much sue the pants off of them for.
-
@Aaron said:
@sabbott64 said:
Here it depends a lot on whether this was an honest mistake on someone's part or if the merchant did it intentionally just to get people into the store.
Yes. And generally, if it goes to court, I think a major part of the decision rests on just how far off the price was from the list price or any semblance of fair market value. If the ad says $50 and you wanted $65, you could be in trouble. On the other hand, if the ad says $50 and the product costs $5000 wholesale, a judge will usually conclude that a "reasonable person" would/should realize that it's a misprint. It's sort of like how the libel/slander laws permit satire on the basis that no reasonable person would interpret it as intending to be a statement of fact.
Also, as I understand it, it depends upon the size of the merchant and the merchant's track record. For example: A merchant has a track record of saying things like, "The first 10 customers on Dec 26 will be able to buy one of these $1k items for $1," knowing that they'll be mobbed as a result, and many people will pay the full $1k for the item which only cost them $200. This merchant makes a mistake saying they're selling a particular item at 0.1% of normal price (for the math challenged out there, such as Verizon employees, that is 0.001 times the normal price. For example, $1 instead of $1k), without limit other than the sale period. This merchant is probably SOL, unless they can show that this would bankrupt them.
Disclaimer: IANAL, nor do I play one on the Intarwebs.
