this post was submitted on 18 Feb 2026
7 points (100.0% liked)

Pulse of Truth

2317 readers
87 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
krogoth@infosec.pub
7
Fraudster hacked hotel system, paid 1 cent for luxury rooms, Spanish cops say (www.theregister.com)
submitted 3 days ago by lemmydev2@infosec.pub to c/pulse_of_truth@infosec.pub
3 comments fedilink hide all child comments
 

'First time we have detected a crime using this method,' cops say Spanish police arrested a hacker who allegedly manipulated a hotel booking website, allowing him to pay one cent for luxury hotel stays. He also raided the mini-bars and didn't settle some of those tabs, police say.…

you are viewing a single comment's thread
view the rest of the comments
[–] riskable@programming.dev 3 points 2 days ago (1 children)

Define, "hacked." I ask because there's degrees to this sort of thing.

Example 1: Hacker finds SQL injection vulnerability and uses it to change his bill after booking.

Example 2: "Hacker" changes the HTML form that submits his booking by changing a read-only value to read-write and adjusts the price to $1.

The first one is actual hacking. The second? Come on! In that case the hotel accepted the booking with the reduced price. That's not really hacking, that's just a comedy of errors in judgement on behalf of the hotel.

The second example is like changing the price tag on something in a store to $0.01 and then having the clerk look at it and say, "well, that seems low but the price that says one cent, so..." 🤷

[–] Fiery@lemmy.dbzer0.com 2 points 2 days ago

Your example 2 is just describing improper input validation/bad logic. Which... Is still hacking. It's just a different category of vulnerability and difficulty (though slamming a SQL inject in every input field you can't find isn't the most complex either).

Example 3: guy finds admin panel with default password - still hacking Example 4: guy finds improperly secured admin endpoints in booking software - also hacking Example 5: booking server wasn't updated in 2 years and hacker uses a PoC exploit he pulled from somewhere to hack it - yup also hacking Etc

All those are wildly different ways of achieving the end result but they all share two things: 1. They're hacking 2. They're illegal to use for anything other than responsible disclosure