1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Other Found a major flaw in a retailer website - What shall i do.

Discussion in 'General' started by AndyDEL, 26 Apr 2009.

  1. AndyDEL

    AndyDEL What's a Dremel?

    Joined:
    22 Oct 2005
    Posts:
    482
    Likes Received:
    4
    Hi,

    I've found a flaw in a retailers website.. It just requires you to enter items at certain points, applying discounts at those points.

    The jist of it is, the discounts get miscalculated. For some very odd and strange reason it gives you a huge reduction in the VAT.

    I received the credit agreement (As i want buy now pay later) last week and low and behold.. The item i purchased is a good £150-200 cheaper than you could buy anywhere else due to the reduction. (This is a £1000 product)... Quite a reduction i'm sure you'd agree, even more of one considering their prices are a little higher so it's more on the side of £250-300 reduction. If i was to pay right now over the phone, i'd of gotten the item for minus £250-300 than they actually sell it for. So quite a huge issue.

    I work in QA for blood analysis software, so i've got a nack for finding these type of issues. 1-2 years ago i managed to get around the Xbox Live Subscription, my vid was featured in the news on this website and many other places. (Showed it was possible but not how to do it)

    I was wondering, what do i do about it. I mean i'm tempted to contact them and inform them of the problem, but in such a way that i want payment for the problem before i hand over the issue :p. I mean, i've tested the issue.. Proved it's present. When i contacted Microsoft and helped them fixed their issue, not even so much as a free game for my help.. Even one of their devs couldn't believe they didn't reward me for my silence and help in the matter.

    So this time i'd like a little cash for my help :) - Not about to do someones job for them, in addition.. If i was in charge of QA there - This would of never happened ;).

    I mean i'm not liable, the bug is their fault and due to me having the credit agreement infront of it.. It's now legally binding.

    How would u lot recommend i go about trying to get some cashola for this..
     
    Last edited: 26 Apr 2009
  2. Turbotab

    Turbotab I don't touch type, I tard type

    Joined:
    4 Feb 2009
    Posts:
    1,217
    Likes Received:
    59
    Before you pay, any price is not legally binding, it is only an invitation to treat. However once they have taken your payment, that's a legally binding contract. I reckon if they catch on to the error, they could stop your order, by pretending they have no stock etc.
     
  3. AndyDEL

    AndyDEL What's a Dremel?

    Joined:
    22 Oct 2005
    Posts:
    482
    Likes Received:
    4
    Turbotab - I have the item, i have the agreed credit agreement here in my hands which has been signed by them.. It's legally binding, all they can do as per the credit agreements terms is end the agreement early asking for early settlement. Which means i still only pay the reduced price.

    So it is, legally binding. They're ****ed.. Basically they could be losing allot of money by people not noticing the miscalculation. By the way it works, it's quite hard to notice the miscalculation unless you're either looking for it.
     
  4. Turbotab

    Turbotab I don't touch type, I tard type

    Joined:
    4 Feb 2009
    Posts:
    1,217
    Likes Received:
    59
    :cooldude::thumb:
     
  5. Burnout21

    Burnout21 Is the daddy!

    Joined:
    9 Sep 2005
    Posts:
    8,614
    Likes Received:
    197
    You could inform them of what happened as a loyal customer, explain that your case is legal binding, however you wish to help. Then ask for a discount on your next order!
     
  6. Guest-23315

    Guest-23315 Guest

    Fixed.
     
  7. ch424

    ch424 Design Warrior

    Joined:
    26 May 2004
    Posts:
    3,112
    Likes Received:
    41
    Yeah, I'd just be nice about it and hope they're nice back. Anything else is dishonest.
     
  8. AndyDEL

    AndyDEL What's a Dremel?

    Joined:
    22 Oct 2005
    Posts:
    482
    Likes Received:
    4
    I don't want a 'Discount' - I want something substantial for this issue.

    It's potentially costing them thousands upon thousands - Higher the value the product is, the more money they're losing. Over a long period of time unnoticed, this could cause a huge amount of problems.

    Fact is, when i've done contracted work in QA i've earnt around £400 a day. - I'd want a hell of allot more than a discount for a very serious issue like this. Not gonna be like Microsoft where i help them resolve an issue without asking anything in return, with not so much as a thankyou card for my efforts.

    It doesn't pay to be nice unfortunately. Once i hand the details over, they wouldn't give a toss.
     
  9. capnPedro

    capnPedro Hacker. Maker. Engineer.

    Joined:
    11 Apr 2007
    Posts:
    4,381
    Likes Received:
    241
    Very true, but the wording of your first post seems to imply you wish to blackmail them!
     
  10. DougEdey

    DougEdey I pwn all your storage

    Joined:
    5 Jul 2005
    Posts:
    13,933
    Likes Received:
    33
    What website out of interest?...
     
  11. AndyDEL

    AndyDEL What's a Dremel?

    Joined:
    22 Oct 2005
    Posts:
    482
    Likes Received:
    4
    I don't wanna blackmail them - Blackmail would be me threatening to release the details online, so within the window of that happening and them fixing it they could lose tens of thousands.

    My intension is to say 'Look, i found an issue which could cost you big time' - I looked into the issue, confirmed it.. This is what i do for a living - I think i should be rewarded for handing it over. If they refused, i would NEVER release the details, i'd just simply refuse to hand the details over and let it be. Still with a grin on my face that i got a heavily reduced product anyway.

    DougEdey - For obvious reasons, i can't tell you lot who it is.. But it's a major retailer. Ads on tv all the time etc.

    I just checked the issue on one of their highest value products, over -£1300 reduction on the VAT miscalculated lol.
     
  12. Guest-23315

    Guest-23315 Guest

    I think its extortion anyway..
     
  13. AndyDEL

    AndyDEL What's a Dremel?

    Joined:
    22 Oct 2005
    Posts:
    482
    Likes Received:
    4
    Maybe some people who feels it's extortion should understand the industry a bit better...

    There are many companies in the world who's soul purpose is to try and hack or get around websites or security systems.. After they have say successfully managed to hack a retailers website to get them free stuff, they contact that retailer and ask for payment in return for the details on the issue.

    Not sure how what i wanna do can be considered extortion when some companies only purpose is to do this day in, day out.
     
  14. airchie

    airchie What's a Dremel?

    Joined:
    22 Mar 2005
    Posts:
    2,136
    Likes Received:
    2
    Decide what you think is a fair price for them to pay you for helping them find and fix, the issue, contact them telling them there is a serious issue and tell them you're willing to disclose the issue and assist in fixing it for x amount and see what they say.

    If they say yes then happy days, fix the issue and get the cash.
    If not, screw them and leave them to get shafted. :D
     
  15. smc8788

    smc8788 Multimodder

    Joined:
    23 Apr 2009
    Posts:
    5,973
    Likes Received:
    272
    If I were you the first thing I'd consider is writing a letter to their head office, addressed to someone high up in the company of you can. If you just phone them up I doubt they'd give you the time of day, they'd just think you're some moron taking them for a ride and after some cash.
     
  16. lex90

    lex90 Minimodder

    Joined:
    5 Aug 2005
    Posts:
    600
    Likes Received:
    5
    1. Exploit
    2. Exploit some more
    3. Exploit with friends and family
    4. Sell problem with solution to company
    5. Find new Bug & repeat step 1-5

    Ugh, and dont do as if its some poor family losing thousands, its some group of rich smucks who are going to have a slighlty lower profit. All they do is rip you off with their 15$ cables and their overpriced TVs, heck even when theyre on sale you can still find them cheaper on the net.
     
  17. julianmartin

    julianmartin resident cyborg.

    Joined:
    25 Jul 2004
    Posts:
    3,538
    Likes Received:
    120
    Tbh, you sound a touch greedy and full of yourself....

    Given there is an industry to do this - that only exists because one company goes out and asks another to test their product.

    However born of this and peoples greed, when someone goes upto them and says "I found x wrong with your product, give me money or I will capitalise on it myself", that is pretty much blackmail, or in legal terms, extortion - they only get away with it because it's cheaper to pay said blackmailer than getting it out of them via the legal system. Morally, it's still a pretty damn cheeky thing to do.

    Just do the honest thing, it's only coincidence that you work in that sort of industry - anyone else wouldn't expect payment, a small expression of gratification maybe, but not a lot more.
     
  18. Turbotab

    Turbotab I don't touch type, I tard type

    Joined:
    4 Feb 2009
    Posts:
    1,217
    Likes Received:
    59
    I have a feeling that the website may be Littlewoods, TV presence and use of discounts code are all features of its site, I had a quick look, but failed to dredge up anything concrete, any whitehats want to have a look.
     
  19. AndyDEL

    AndyDEL What's a Dremel?

    Joined:
    22 Oct 2005
    Posts:
    482
    Likes Received:
    4
    Again i think you fail to understand the way the industry works in this regard Julian.

    QA / Test companies do exsist where you contract them to test your product, it's quite common especially in Indian. It's generally considered quite a good way to test initially due to the detachment the QA side has from the development side. Unfortunately the inheriant flaw with this is that many of those outsourced companies find it difficult to be adaptive to different industries, often misunderstanding the user requirements specification or master requirements.

    What i am talking about is a part of the industry where companies setup shop and purposely look for systems or software and their flaws. They have no connection to the company. They then submit their findings to that company and offer to help them resolve any major issues for a fee, this is a rather lucrative and expanding industry - Especially in the banking and security systems. Why do you think Microsoft and other companies hold competitions to break their software with a large reward if accomplished, it's to stop these companies from discovering them - As in the long run, it'll cost them more than say a competition held would.

    It's not purely coincidence that my job revolves around this very thing, it's by result that what i do for a living is the reason i found this issue. Same reason how i found the Xbox Live subscription issue, i tend to look at a piece of software and it's flaws. Unusually the majority of major issues found in software are very similar, you'd be amazed at how many of the same issues are discovered again and again through regression testing. Developers tend to make the same mistakes.

    As for greed - I'm not entirely sue what world you live in, maybe it's the happy one where everyone walks around farting out rainbows. I live in the real world, where large corporations soul purpose is to suck as much money out of their customers as possible to impress shareholders.

    This is a cost to risk reward.. I have done the work, i have even constructive a breif on the issue and detailed test scripts how the issue is reproducible in different areas. If they want to take advantage of my work, something that i'm not only experience at doing but qualified to do. I should be rewarded appropriately. This isn't some small independent retailer, if it was i'd of handed my findings over for free as soon as i found it. This is a large corporation who probably outsource or have internal teams to stop this from happen, i'm not about to do their job for them with no payment.
     
  20. capnPedro

    capnPedro Hacker. Maker. Engineer.

    Joined:
    11 Apr 2007
    Posts:
    4,381
    Likes Received:
    241
    But they didn't hire you to do it. I could go wash your car right now, but would you be happy when I deliver a £400 bill? Would you have to pay me? No.

    I don't know... have you seen how crap Argos' website is?
     

Share This Page