undefined | Better HN

0 pointscheschire7mo ago0 comments

I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.

0 comments

codethief7mo ago

I did something similar on an airline website earlier this year: I wanted to change the date of my return flight and also make it an open jaw (i.e. leave from a different airport than where I had arrived). Changing my flights was included in my original fare, modulo the fare difference. Unfortunately, on their website the input text field for the airport I would be flying out from would get disabled a second or two into loading the "alternative flights search" page, and wouldn't allow me to make it an open jaw. So I fired up my browser dev tools and changed the value of the text field to the desired airport code. Suddenly, I was finding the flights I had been looking for – as it turns out, at no additional charge whatsoever.

anal_reactor7mo ago

My insurance company has different frontend password regex on registration page and on login page. My password passed the registration regex but fails the login regex. In order to log in, I need to manually remove the frontend-side password regex check.

abustamam7mo ago

This absolutely boggles my mind. My last insurance company let me create a 20 character PW but limited the password field on the login screen to 16 chars. I didn't think to futz around with the code so I just recreated a less secure password. I suspect many other less technical people either did that too or just called support.

There is zero excuse for that though. 16 chars is just way too short for a proper secure pass phrase, but at least make it consistent with password creation!

encom7mo ago

Ever since I started using a password manager (a long time ago), I have encountered SO MANY password bugs. But one of the most frustrating issues, is when a website asks you to create a password, but does not tell you what length or characters are accepted. So you have to dumb down Keepass incrementally until it passes. A tedious game.

If your software doesn't accept this password, please change career immediately:

ú¨<¹7®fÍå0Á1n:1}Àº»ê:t]íw´¾ã\B²¸Æþ®M3_ø>$¼ÿa÷mH¦ñ%?6ñE$l#DhqI£«{'Ø"V^c4u

ewoodrich7mo ago

Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts (or was changed between the time of original signup and login attempt) so I create an account successfully with a Google Voice number and then when I actually need to receive 2FA the message goes into the aether with no error surfaced at any point.

codethief7mo ago

> Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts

Yeah, this is incredibly annoying, though to be fair, this can be a hard problem to solve. 3rd-party systems often don't tell you what their exact phone number validation rules are or silently update them, and then, to top it off, don't throw errors when validation fails. And more often than not, the 3rd-party system's developers also must have never heard of the Falsehoods programmers believe about phone numbers[0].

Source: I was responsible for adjusting phone number validation for a major ecommerce site in the past.

[0]: https://chromium.googlesource.com/external/libphonenumber/+/...

jacquesm7mo ago

What's insane is that there are countries where this is considered hacking, even if all you do is change the URL.

somefile-small.jpg -> somefile.jpg

abustamam7mo ago

Black hat hacking or white hat hacking? Genuinely curious because a lot of these security write-ups can't happen without "hacking." which may explain why we don't get these security write-ups from folks in those countries.

sgarland7mo ago

Somewhere, there is a table with a `frequency` column, storing client-supplied values, and an application happily accepting them as-is.

This is why you normalize your tables and use FK Constraints - you aren’t going to catch all the edge cases in code. Let the DB be the final arbiter of validity, because it’s been tested to hell and back.

Re: Huel, that’s pretty smart. My rate of consumption is fairly consistent (usually 1x/day on weekdays), but occasionally I’ll have one on the weekend, so the given cadences worked for me. I do 2x 12-pack / 4 weeks to hit the free shipping tier.

mulmen7mo ago

Did you try adjusting price?

achairapart7mo ago

A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...

umanwizard7mo ago

It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.

jacquesm7mo ago

Why are you on HN?

A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.

The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.

3 more replies

Nextgrid7mo ago

According to the article the system was developed by a regional subsidiary of a German mobile telco, which already tells you everything you need to know about its quality, but on top of that it was rushed to launch in time for some sporting event and thus even less testing was done that would normally happen.

Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.

This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.

wqaatwt7mo ago

No. It’s if you were selling something in your house for $10. Somebody came in, crossed out the number on the tag, wrote down $1 and handed you a bill.

Then you took their money and gave them the item without saying anything.

Would seem like a weird situation but I don’t see how its theft.

1 more reply

detaro7mo ago

It's more that they walked by, saw your door open, popped their head in and then called for you to make sure you knew the door was open.

cheschireOP7mo ago

I am not malicious or willing to attempt theft. Academically though, in an official testing environment, that would be entertaining to attempt.

mulmen7mo ago

Yeah I’m not suggesting that you adjust the price, just curious if they were passing price through the client as well.

Zekio7mo ago

you can do this on surprisingly many websites, where they include the price in the url they redirect you to, when going to the payment provider, and even then often it is only protected by an md5 hash if it is verified

esseph7mo ago

I love this so much

umanwizard7mo ago

That’s incredible

j / k navigate · click thread line to collapse

0 comments

codethief7mo ago

anal_reactor7mo ago

abustamam7mo ago

There is zero excuse for that though. 16 chars is just way too short for a proper secure pass phrase, but at least make it consistent with password creation!

encom7mo ago

If your software doesn't accept this password, please change career immediately:

ú¨<¹7®fÍå0Á1n:1}Àº»ê:t]íw´¾ã\B²¸Æþ®M3_ø>$¼ÿa÷mH¦ñ%?6ñE$l#DhqI£«{'Ø"V^c4u

ewoodrich7mo ago

codethief7mo ago

> Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts

Source: I was responsible for adjusting phone number validation for a major ecommerce site in the past.

[0]: https://chromium.googlesource.com/external/libphonenumber/+/...

jacquesm7mo ago

What's insane is that there are countries where this is considered hacking, even if all you do is change the URL.

somefile-small.jpg -> somefile.jpg

abustamam7mo ago

sgarland7mo ago

Somewhere, there is a table with a `frequency` column, storing client-supplied values, and an application happily accepting them as-is.

mulmen7mo ago

Did you try adjusting price?

achairapart7mo ago

A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...

umanwizard7mo ago

jacquesm7mo ago

Why are you on HN?

3 more replies

Nextgrid7mo ago

This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.

wqaatwt7mo ago

No. It’s if you were selling something in your house for $10. Somebody came in, crossed out the number on the tag, wrote down $1 and handed you a bill.

Then you took their money and gave them the item without saying anything.

Would seem like a weird situation but I don’t see how its theft.

1 more reply

detaro7mo ago

It's more that they walked by, saw your door open, popped their head in and then called for you to make sure you knew the door was open.

cheschireOP7mo ago

I am not malicious or willing to attempt theft. Academically though, in an official testing environment, that would be entertaining to attempt.

mulmen7mo ago

Yeah I’m not suggesting that you adjust the price, just curious if they were passing price through the client as well.

Zekio7mo ago

esseph7mo ago

I love this so much

umanwizard7mo ago

That’s incredible

j / k navigate · click thread line to collapse