Could a Malicious Hacker Alter a Hidden Post Variable
Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all.
Web security rule #1: Never trust any user input. Also stated as "All users are malicious hackers" or some variant thereof.
answer to comment: The solution is to know all of the correct values on the server side, without having to pass them through the client side (Javascript). So regardless of what the form says, you already know the price. Just use the same value you used to populate the form in the first place.
Forget javascript and browser tools. Please realize that I can send ANY cookie, POST and GET argument (key and value pairs) I want, regardless of whether this is a form for them. (See cURL)
Frank said "At the store, you would very rarely see clients fill their shopping carts, and then tell the cashier how much they have to pay."
Try to think of it like that. The browser (not user) is the client and the server is the cashier. Any information that flows from the browser to the server can be anything I want.
Update 2020:
OWASP covers this topic in "Injection Theory", where applications accept data from untrusted, uncontrolled, or potentially compromised sources.
Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.
Review this OWASP "cheatsheet" for an overview of mitigations that can be implemented to better secure REST based endpoints.
Yes, it is very simple to do with browser inspector tools, JavaScript, cURL and other tools.
You shouldn't rely on the amount field being what you'd initially transmitted in the response to the client. A more secure approach would be to rely on an identifier for an item, which you can map to a price on the server (a more controlled environment).
Yes, it is possible to change that value using javascript. If you haven't practice in using javascript, you can also do the test using Google Chrome's Developer Tools.
Infact this is one of the main reason to don't rely on user input.