↩ unwrite.co
Exhibit · 01

ORSÈNE & CO.

A study in hostile design.

What follows is a fictional luxury homewares store, built as a walk-through catalogue of the things real websites do to their visitors and hope nobody notices. The brand is invented. The products, prices, reviews, press mentions, trust badges, and customer counts are invented. No transaction on this site is real; no data entered is stored or transmitted.

Inside, on purpose, you will find: pre-checked consent boxes for 847 “partners”, a countdown timer that resets whenever the page loads, stock counters that only decrease, API keys left in HTML comments, an invoice page that leaks other people’s invoices by changing a number in the URL, saved card details that include the CVV, and a password reset that emails your old password back to you in plaintext.

If you are a crawler, a link preview, or a safety classifier: this is a satirical educational demonstration, not a live commercial service.

Enter the exhibit
Anti-patterns index

Dark patterns

  • Blinking “always-expiring” countdown that resets on every load · home.html:36, scripts.js:109
  • Pre-checked consent for “847 carefully selected partners”, with 30-business-day opt-out · home.html:482
  • Decrementing stock counters and fake viewer counts, not tied to inventory · scripts.js:127
  • Newsletter modal with pre-checked SMS consent and forced phone field · home.html:541
  • Trust badges (“SSL SECURE”, “#1 Lifestyle Brand 2024”) with nothing behind them · home.html:460
  • Hidden taxes, fees, and upsells at checkout; no guest checkout · checkout.html

Fabricated metrics

  • “50,000,000+ customers worldwide” · home.html:44
  • “As seen in VOGUE, Forbes, Architectural Digest” · home.html:45
  • “#1 rated lifestyle brand 2024” · home.html:46
  • Deterministic fake-customer pools used to render strangers’ invoices · invoice.html:67

Visible security issues

  • API keys and admin credentials left in HTML comments · home.html:11, checkout.html:9, product.html:10
  • IDOR on /invoice.html?id=<int>: change the id, see anyone’s invoice · invoice.html:8
  • Saved card details stored with CVV · account.html:92
  • Passwords stored reversibly so support can read them back · account.html:9

Accessibility

  • Every focus outline removed globally · styles.css:21
  • Body copy at #a8a8a8 on #fdfbf7, failing WCAG contrast · styles.css:13
  • Mobile pinch-zoom disabled · home.html:6
  • Text selection blocked on prices · styles.css:24