Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> A kid showed up a bunch of big names.

The kid purposely changed the price of a service to lower it to an insignificant fraction (reportedly from ~27£ to ~0.15£).

If that same kid went around a supermarket replacing price tags to lower the selling price, would you call it "showing up a bunch of big names"?

Say what you may about how broken and buggy the system was. Purposely misusing it for financial advantage is still a no-no.



if the kid could successfully modify the scanned value of physical barcodes a) that would be quite the feat and b) that would absolutely be showing up a bunch of big names


This attack has been done trivially for years - you just sticker over the barcode with the barcode of a cheaper item in the store. If you plan to use self-service checkouts for this scam, pick cheaper item with same weight or with a tag that prices cheaply per unit of weight (produce) etc.


It wouldn't be quite the feat at all. Barcodes for pre-priced items sold by weight (cheese, meat, etc.) encode the price in the last four digits. Replacing those would be trivial.


Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above:

> Did you try adjusting price?

And he was punished for "hacking", not for stealing, and for indirectly putting to shame who was responsible for the epic fail.


> Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above

You're failing to address the point. It is also trivial to switch price tags in supermarkets. If a kid rips off the tag of an expensive product, tacks on another price tag for pennies, and proceeds to pay the reported price at the checkout counter, is this something deemed acceptable or even classified as vulnerability research?

Make no mistake: the system was a shit show and all companies involved pulled some "sociopath mid-level manager saving his ass" moves. But the issue is nuanced.


There was no personal profit. He bought a ticket he never used, just to show to people on twitter how bad the system was. He could have silently taken advantage of his discovery and travel at no cost for a long time peraphs. But no.

Sounds more like vulnerability reasearch than crime to me.


IANAL, and furthermore have no idea what Hungary’s legal system is like, but mens rea is a thing. If I break a window by using it as a target for practicing my golf swing (I don’t golf; I have no idea if this is something golfers do) I am culpable. If I break a window because I’m trying to land balls next to the window, I might be culpable. Again, IANAL, so if anyone wants to correct my analogy, please do.


How do you propose he would have been able to establish that this was indeed a vulnerability?


> How do you propose he would have been able to establish that this was indeed a vulnerability?

I could comment extensively on the issue, as it is not as cut and dry as you imply. Instead, I'm going to link to the HM discussion from 2017 , as I think it is insightful and covers nuances.

https://news.ycombinator.com/item?id=14835515


Did the kid go around changing price tags, or did they just show that it was possible?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: