Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It

An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

Re:Where are the security trolls?

[JaredOfEuropa]

This is more like those people hearing about that trick (or maybe finding out themselves), then making sure they scanned every item upside down. It's similar to incorrectly priced items, and over here (NL) the law is sort of clear on that. If an item is priced too low by accident (or rung up incorrectly at the register), the customer gets to keep the purchase at the lower price... unless there is a "clearly apparent mistake". A €1000 TV priced at €800 would not be a clear mistake; a €200 discount would be a really good one, but plausible. That same TV priced at €100 is clearly a mistake though. Same as someone who manages to order over $18.000 worth of goods on a $20 gift gard because of a flaw in the system. Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here. How does that work in the States?

Re:Where are the security trolls?

[Dragonslicer]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

How would a warehouse worker or truck driver know that the customer wasn't correctly charged by the website for their purchase?

Re:Where are the security trolls?

[gfxguy]

Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

The rest of your comment aside, a warehouse worker or truck driver shouldn't need to know the price of the items they are packing and delivering - they get their marching orders from a printout (or electronic message) that tells them what to pack and likely prints a shipping label for them.