The DSL company is patting him on the back with one hand, and calling homeland security with the other.

@Saboth: since when does Australia have homeland security?

My only problem is that he paid the $59 fee, waited two months w/no changes, then fixed it himself. I would have called and asked them to remove/reverse the $59 fee, THEN fixed it. But I'm just cheap.

@HRGirl:

I thought every country had some kind of homeland security these days...with the Brits having the worst "nanny state".

I wouldn't be calling this a hack, but a simple manipulation of HTML code, with firebug, when submitting his detail changes. He never hacked 'into' anything, but just altered the information sent.

@HRGirl: I know, they're not the homeland at all; they're clearly a foreign country!!

If my ISP was that totally incompetent, I'd cancel immediately, probably change my bank account info as well.

He didnt hack anything, he exploited a flaw in the website design that there was no check in place for. He had already authenticated to the site with valid credentials, so all he did was change something on his record that they had simply disabled. Now, if he was able to do this without first authenticating, or was able to do it to someone elses account without authenticating, it would be a hack. The actual risk associated with this bug is very low since the only person who can access it is the owner (or somone who knows the ownsers) credentials, and if that info is known, they would be able to call and probabaly get the person on the phone to make the change anyway.

But good for him, I hope they refund the name change charge, and I also hope they dont press charges against him for unauthorized access to electronic information.

Why would he ever agree to a $59 fee for something so simple. It would have been cheaper to cancel his account and open a new one.

Also why after 2 months did he not call back to dispute the insane fee he paid when they obviously didnt even make the change!?

@DistortedViewListener_GitEmSteveDave:
Thats not being cheap its being smart. First off that fee is nothing short of insane. Second he paid for the silly change and they never even changed it! They should have refunded him...well they should have never charged but thats beside the point.

@RichardSS: That's still a hack. Changing code to change the outcome.

They owe him more than his money back. They also owe him like 3 months (~100 dollars or kangaroocoins) worth of credit because of his freelance work to fix their website.

@Saboth: In Australia they just have prison guards. I'm surprised they let one access a computer in the first place.

@parad0x360: Cause he's elite.

@silver-bolt: He actually didn't change HTML at all.

The website used a form submission for the name. He submitted the form with the proper values.

This is when being a smartass actually pays off.

@WiglyWorm: Well that's what I meant, the changes made were on his side, and the form is technically HTML code.

@xtc46: He did what? He "exploited a flaw"? So he hacked, then. It's a pretty inclusive term is all I'm saying. Just because it's more of a grey hat hack doesn't mean it's not a hack, nor that "hacking" is a bad thing in and of itself.

Congratulating someone for doing something that -could- be seen as illegal doesn't quite sit right with me.

It's like logging into your shared email account (with wife/husband) and changing the 'from' field to say 'from ben and that skank'. Yes, you have the permission to, but it doesn't make the act OK.

@xtc46: meh. It's a hack in the sense that he subverted controls that were in place to keep him from changing it.

That said, there is no reason why the couldn't have changed the tag on the input to something editable.

@xtc46: "he exploited a flaw in the website design"
That would be one definition of 'hacking'.

Hey, where'd you get 44 from, Consumerist? The article you linked to says 59...

@RichardSS: I would totally be calling this a hack. In fact, I'd be yelling that to everyone who will listen. Good job Consumerist!!! This is a classic example of a hack. Modifying something to make it do something it really should have done anyway.

Media coverage of "hackers" and "hacks" has been almost entirely negative. They never talk about a good hacker. They never refer to something positive as a "hack." And therefore, most of the public things that all hacking is bad and that all hackers are criminals and that anything good can't possibly be a "hack."

There are many examples of useful hacking. I'm glad to see Consumerist stepping up to the plate and calling this what it was: a hack.

@plamoni: PS - I misread the title, I thought it said, "Customer Hacks DSL Website," rather than "Hacks Into." The "Into" part makes it sound like the traditional media use of the term and therefore is actually the worst kind of usage. This guy hacked the site, but only the client side. By saying "Hacked Into" they're implying he somehow gained unauthorized access to the site. Which is entirely untrue. This was a hack, but not some sort of computer invasion. Sorry Consumerist, better luck next time!

@seamer: It the crosswalk light is burnt out, do you stand there for 4 days for it to be repaired before crossing? It sounds like you would.

@Saboth: As much a nanny state you might want to call them, their security measures are way better that those in the US, and with way less annoyance as a bonus.

As for what this guy did, he found it without really doing anything overtly aggressive against the company infrastructure. He just found that it was extremely bad design that allowed him to do what he did.

Australian dollars 59 = 44.

Coming from an industry web developer, I'd hardly call this a hack. This can be done extremely easily with firebug (as described) or even the 'Web Developer' plugin. In fact, the WD plugin is easier. Just click Forms 'Enable Form Fields' - tadaa. This will convert all forms that are set to read only as read/write.

It's stupid code on the ISP's site side that is accepting data from a field without validating whether they "can be" changed. They do a check when the form is generated, (that's why they start as read only) but not when the data is accepted. This is hardly hacking. Hacking would be changing data that he did not have inherent access to change - for example, another customer's information.

Now if he specified SQL code in his form inputs to change things by injection, that'd be totally different. But this is hardly hacking.

@plamoni: I am able to see how and when hacking could be good, but I do not think hacking is something you want people to do on an everyday basis.

That would put WAY toooo many cooks in the kitchen.

@LegoMan322: Hacking is something you want many people doing on a regu....

@plamoni: Yeah. certainly nothing was hacked "in to". All data was served to the local computer and modified on that end. It was a simple matter of editing data in the greyed out field. The same thing probably could have been done by changing the url to have a SQL statement in it, or possibly editing a cookie on the local PC, depending on how variables are defined.

@coren:
[www.google.com]

59 Australian dollars = 44.3975 U.S. dollars

@madog: Shouldn't that be, "Cause he's 1337 hAxOrZ!!!11!!"

That's a pretty sweet rig.

Actually, this is hacking, in the classic sense-- it's leaving the delimited path and doing something the designers didn't intend. Are you supposed to leave that path? Arguably not, but if you do, you're likely to see things a whole different way and maybe get a bit more functionality out of something!

Yep, I'm one of those technologists who makes a distinction between "hacking" and "cracking". There's certainly overlap, but hacking mostly involves modifying things (most commonly, computer code, but it can apply to modifying devices to serve a purpose other than intended). Cracking is, more specifically, the circumvention or outright breaking of a security measure.

No, this guy didn't crack anything, he just used a trivial hacking tool to leave the path, look around, and perform actions that the website (obviously) wasn't intended to allow. Definitely a hacker.

@rioja951>Now with 220% more chances of not blowing himself up!: When was the last time you heard of sensitive data being lost in a suit case on a bus in the US? ;-)

[www.timesonline.co.uk]
[www.timesonline.co.uk]
[www.betanews.com]

Someone is going to pay, believe me.

@Knippschild: Web application developers everywhere should be literally flabbergasted that this code went into a production website. Cardinal sin number 1 is not validating user submitted data.

@ugadawg: Never since the US generally keeps breaches of security to themselves until someone dies. So cross your fingers that preventing the public from holding those in power accountable is a wise security move.

They owe him a contractor's fee is what they owe him. He got the job done AND he probably showed how their site is poo that anyone with enough knowledge can get in there easily and do who knows what. At least he wasn't working for evil (that they know of, so far!).

@synergy: My mistake. He didn't get into the site, but he still showed them that their page is poo.

@Andrew Farris: Agreed. I want to shoot myself thinking of it.

And ISP? Wow. Makes me sick :(

Don't you find it amazing that the company exec had to ask them to help find Douglas? Um, don't they kinda have his fullname, and and account in his name?

omg where do I begin with this guy?

First off, the dsl service belongs to his roomate. Not to him, not to that address, but to him. Why do people think that just because they call in and say "my roomate moved so this belongs to me"? No. it doesn't. the dsl company has a contract with that individual. no one but that person has the authority to cancel it or make changes. Should a company cancel *your* phone service/cable/ or anything else that belongs to you because *I* say to do it? No? Then how it is right for this guy to take the roomates name off the bill without the roomate saying it's ok?

the roomate has the right to move his dsl to his new address. there may be a cancellation fee for cancelling before a contract date is up. It's not likely in this particular case, but jsut because someone moves out ir doesn't necesarily mean they want the service cancelled or don't want the service in their name. I've seen spouses move out and keep service in their name so they have control. I've seen parents have services for their adult kids in their name so they have control.

When you put something into your name, usually a brand new account is created. this may involved a credit check or a request for a security deposit depending on the service we're talking about. There may be a contract for the new individual. For some services the company is legally not allowed to simply "change the name". they may have to close the account, terminate of service, and then establish a brand new account.

Bottom line: changing a name on an account is NOT just changing a few letters in the address field. It has all sorts of ramifications for both the company, the old party and the new party. The service being provided isn't yours and you have no right to it, even if you are married to the other bill name. The company had a contact with them not you.

PS this guy is a lucky he's not being arrested for hacking into their systems (though it was so unbeliveably easy it hardly counts as a hack, bit technically it is)

//rant off

It is pretty incredible what you can do with firebug.

The other day I was on a website that wouldn't let you access it without an account, so I just removed the thing that was blocking the content.

I've also seen sites that calculate shipping in javascript and pass it to the server. Free shipping!

@xtc46: Hacking is simply using something in a way that is not intended in order to accomplish a goal. It doesn't necessarily have to be uber difficult.