Jim hacks the fake stock market

Jim hacks the fake stock market.
Occurred: Fall 2000
I met a strange fellow on the school bus when I was fourteen years old. I had just moved from a posh boarding school to a public school mid-semester and didn’t have many friends yet. There was this one kid who lived down the road from me. He had long hair, glasses, and generally wore ratty clothing. We had a couple of classes together but we never really talked. The bus picked him up in front of the General Store before school every morning and he was always on the payphone.

I never understood why he was always on the payphone. It was weird. Everyday at 7:35am the bus would pull up to the General Store and Jay, the quiet longhaired kid wearing a Pink Floyd t-shirt and ripped up jeans would be waiting, talking on the payphone.

Eventually my curiosity got the best of me I started up a conversation with him, “Jay, why are you always on the pay phone every morning? Who are you talking to?”

As Jay rummaged through the contents of his backpack he looked up at me and calmly responded back, “Oh I was just talking to the Kremlin in Russia. I couldn’t get past the receptionist.”

Having never spoken to Jay before I figured he was lying to me. I told him he was full of shit and there was no way he was talking to an operator at the Kremlin.

Then Jay showed me his red box. I knew I had a new friend.

For those of you who don’t know, a red box is a special device that can generate a specific sound to trick payphones into thinking money was deposited. With a little bit of patience you could call anywhere in the world for free. (http://en.wikipedia.org/wiki/Red_box_phreaking)

Fast-forward a few years to our junior year of high school. Jay and I are sitting in our economics class sending wireless messages back and forth on our palm pilots.

Our teacher Mrs. Thomas chimes in, “Guess what class? Today we will begin competing in Long Island’s Newsday stock market competition! You will form up into teams and be given $100,000 in fake money to invest in the stock market. The teams will then compete against each other and teams from other high schools on Long Island. The team with the most money at the end of the semester will get have to have lunch with the chairman of the New York stock exchange.”

I pen in a message to Jay using my stylus. “Want to be on my team?”

Jay messages back “Ok.”

The contest was run through a stock trading website setup by Newsday. Since we only had one computer in the classroom we got to spend our class time in the ITC. The Information Technology Center was just a big room with a bunch of networked computers and a few shared printers. Being fresh off last years ban from the network (Read: http://www.jimbastard.com/Jim_deletes_the_tenth_grade.html), I was on my best behavior. I still had root access to any local machine and most of the network resources.

Each team shared a computer. Most teams had three or four members. My team consisted of Jay and myself. We would have forty-five minutes of relatively unsupervised computer access every morning. It looked like it was going to be a good semester.

A few weeks into the assignment Jay and I had done no stock market research. Instead of gathering company information for potential investments we had been figuring out the best way to play emulated NES games. We had figured out how to share and play ROMs with our friends over the network without alerting the large system administrator, Mr. Gauss.

I had assured Jay earlier that picking stocks was like playing the lottery and a monkey had a better chance of picking winning stocks then we did. He didn’t argue. Unfortunately, however, it came time for all the teams to buy stock. A quick executive decision was made and we randomly bought twenty thousand dollars worth of S&P 500 stocks.

We checked on our stocks the next week. Everything was down. The bubble was bursting.

We muttered back and forth, “What the fuck man.” “We are losing money” “Let’s buy some more stock.”

We went through the buying process again.

On the website you could enter in the amount of stock, the stock symbol, and BUY or SELL in a form. That form would POST to a confirmation page and from there you would click "TRADE". The trade would then be executed.

Our total net worth had gone from $100,000 to less then $92,000 in a week. We sucked. Stock trading sucked. This website sucked. Something had to be done.

Intrusion starts with a poke. If you poke something it will react. If it reacts the same way every time you poke it you can expect that behavior. If you poke it just right though you might get an unexpected reaction, unfamiliar behavior. If you can manipulate these unexpected reactions you can create exploits that allow functionality you were not expected to have.

We knew the basic formula for purchasing stock was:

(Current Stock Price * Shares) + 2% Broker Fee = Total Cost of Stock Purchase

The total cost would then be subtracted from the cash in our account.

Knowing this we began to poke at the form for submitting stock trades. Instead of typing in ‘100’ for shares, we typed in ‘-100”. The page wouldn’t submit and we received a JavaScript popup telling us we had invalid input.

Seeing how Javascript was in the way we disabled it for the browser. We tried entering in some more junk data. The page submitted and we were brought to the confirmation page. The confirmation page read: “-100 is an invalid value for Share Amount. Please Go Back and reenter this information.”

This was a setback, but not a dead end. You might be wondering at this point why we wanted to enter a negative value for the stock price. If you look a bit closer at the basic formula for how stock purchases are made it will be quiet apparent.

The formula on the backend of the website always assumed that the stock amount and price would be a positive number. The server would subtract the positive number from your account. If we could make either the stock amount or the price negative the server (in theory) would subtract a negative value from our total account balance. Basic mathematics will tell us that subtracting a negative number from a positive value will in fact add the number instead of subtracting it.

We went back to the order page and placed a purchase of 1,000 shares of MSFT at about thirty-five dollars per share. We click submit and reach the confirmation page. “You are about to purchase 1,000 shares of MSFT. $35,700 will be deducted from your account. Confirm or cancel this order.”

Instead of clicking confirm Jay and I begin poking at the confirmation page. We do a view source and notice there is a hidden form storing the information relating to our stock trade. The form submits to a page called trade.pl. We try to access trade.pl and receive a 500 error.

Now Jay and I are about to perform what we would later know as a XSS attack. At this point in our lives neither Jay nor I have any idea what Cross Site Scripting, We are two bored bastards playing around in the ITC.

I copy the entire source of the confirmation page and recreate a local html page with the copied code. I do a quick Regular Expression statement and replace “trade.pl" with “http://www.blahblabtradingsite.com/cgi-bin/trade.pl”. Our local form should now be able to submit directly to the trading site. I change the stock amount for 1,000 to –1,000. A few minor corrections are made and the local page compiles. I click submit and the order goes through.

We now have 1,000 shares of MSFT and about 127,000 dollars in our account.

Wait, what?

Jay and I look at each other in astonishment. We just bought stock and got paid to do it.

I immediately know what we have to try next, “Hey Jay, lets sell this stock now.”

We sell our 1,000 shares of MSFT stock and our account balance is at $162,000.

Jay and I are ecstatic. We’ve just put ourselves in first place by a huge margin. Unfortunately for us we are more interested in what we just did to the website then winning. Before the end of class our total account balance is over a million dollars. We don’t tell anyone.

A week goes by and its Wednesday night. On Friday the new rankings for the stock market game are expected out. I have a mild panic attack. I know that when the person who compiles the listings sees we have over a million dollars, we are fucked. They will check our transaction log and see various negative orders and a few orders in the amount of “cat” shares. I really didn’t want to get banned from the network again. I decide it is time to flip the situation as quickly as possible.

One late night paper later and I have the full explanation of the entire incident typed up. I show up early to school the next day and bring two printed copies to my teacher asking her to forward one to Newsday. She’s a little puzzled to say the least. Before the end of the day our account balance is restored back to $100,000. We try our exploit and it no longer works. Newsday never responds to my paper.

The teacher gave Jay and I A’s for the assignment and I used the incident as part of my college applications. I also learned two very valuable bastard lessons:

If you are going to cheat only cheat a little bit or you will get caught.
If you know you are going to get in trouble you must flip the situation around and make the best of it.