Refuse to sell a Marketplace product for the wrong price

RESOLVED WONTFIX

Status

Marketplace
Payments/Refunds
P3
normal
RESOLVED WONTFIX
3 years ago
2 years ago

People

(Reporter: kumar, Unassigned)

Tracking

Avenir
x86
Mac OS X
Points:
---

Details

While exploiting a now-patched JWT flaw (see bug 1145024) I was able to change the price of an app to $0.00 and acquire it for free. The real app was priced at $0.99 so I was surprised that I was able to fully acquire the app.

If a product is not marked free in the database then we should refuse to complete a free purchase. This might help protect against unknown future JWT flaws. 

We should also protect against reduced price attacks, such as changing a $19.99 app to $0.10

Comment 1

3 years ago
In the end all we really need is to be able to say: buy app X, or buy in-app product Y. And that's it, the marketplace can provide everything else without any opportunity for worrying about what the JWT says or doesn't say.

I think the bigger goals of trying to do something with mozPay made our life more complicated without good reason. Perhaps getting rid of the JWT and mozPay wasn't the comment you were looking for though :)

Updated

3 years ago
Priority: -- → P3

Comment 2

2 years ago
Based on the recently announced future plans for the Marketplace to remove payments, closing these bugs.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.