If everything you wanted to buy online were free, which websites would you check out first?
Unfortunately, you probably don’t have the tech skills to make a free shopping spree a reality. But a team of researchers does, and what they found could have serious implications for your favorite online stores.
Security researchers from Indiana University and Microsoft Research have found a way to score free products from top online merchants by exploiting flaws in the companies’ third-party shopping cart services, including Amazon Payments, Google Checkout and PayPal.
In their paper, “ How to Shop for Free Online ” the five-member team studied security vulnerabilities in third-party Cashier-as-a-Service (CaaS) programs, and found that the most popular CaaS providers contain security bugs that, when exploited, allow shoppers to “purchase an item at an arbitrarily low price, shop for free after paying for one item, or even avoid payment.”
To demonstrate their high-tech proof-of-concept heist, the research group purchased electronics, DVDs, online journal subscriptions and personal health care items “either free or at prices the group itself determined,” Indiana University reported.
Their sneaky shopping was abetted by the fact that CaaS programs and the merchants they serve do not effectively communicate and coordinate, making it easy for a malicious shopper to trick both parties.
The researchers notified all the merchants who they conned, returned all the discounted products and helped the companies fix their vulnerabilities.
This study focused only on simple trilateral online interactions between the merchant application, the online store and the CaaS. The researchers consider online marketplaces and auctions as particularly susceptible to this kind of tech trickery, because as more parties are involved in a transaction, the security risks increase.