Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It

An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

Where are the security trolls?

[ScentCone]

I clicked to read more so I could see how many people would be saying that it's not really theft if Lowes didn't prevent it from happening. You know, like if a shoplifter walks out of their store with a $20 impact socket in their pocket, and Lowes didn't notice him doing that, then it's totally Lowes' fault that he stole that.

Re:Where are the security trolls?

[chuckugly]

More like if Lowes self checkout station set the price on some goods at $0 if they were scanned upside-down, and people just checked out and left. And then got arrested.

Re:Where are the security trolls?

[sjames]

Don't be silly. This wasn't just Lowe's not noticing some stealthy action, this was Lowe's willingly packing up and shopping the goods to the couple after receiving no money.

Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.

Re:Where are the security trolls?

[mikelieman]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

Lowes is just full of fail on this one.

Re:Where are the security trolls?

If you picked up a couple of goods like that in a basket, I'd call the arrest unreasonable.

If you went back and picked up an entire trailerload of those goods and only those goods, and walked out without paying a cent, I'd say at that point you should have realized something was wrong, and now we've got clear evidence of malicious intent.

Re:Where are the security trolls?

[ClickOnThis]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

Re:Where are the security trolls?

This involves a ton of contract law and consumer protections laws, which span huge volumes of the law. Trying to condense this to a simple yes/no is going to miss a ton of nuance.

But, ultimately, if the seller can demonstrate that the buyer had intent to defraud, they will have no problem prosecuting the buyer.

In the case of Lowe's here, intent to defraud is pretty clear, since a) the software glitch was used repeatedly and consistently - showing that it wasn't an accident nor a mistake - and b) no honest person expects to "buy" $200k worth of stuff for $0. I don't know if this is enough - IANAL - but this certainly doesn't paint the buyer in a pretty light.

But again, this is going to have to be settled by a court.

Re:Where are the security trolls?

[quonset]

how many people would be saying that it's not really theft if Lowes didn't prevent it from happening.

And you were correct in your assumption. Looking below, one can find many people blaming Lowe's. Not the criminals who deliberately exploited this flaw, not the criminals who were trying to resell their ill-gotten goods, not the criminals with piles of merchandise they obviously knew were stolen. Nope, it's all on Lowe's.

One can imagine a scenario where people who go to Lowe's, pick up an item and walk out of the store without paying for it would be considered completely absolved of their crime because Lowe's didn't prevent it from happening.

It's amazing the excuses used to justify criminal behavior.

Re:Where are the security trolls?

[intermelt]

Most references to US law imply that they would need to return the merchandise or pay for it if it is an obvious error in pricing. However this all probably depends on how they received the discount on the merchandise. If it was a coupon code or certain methods of clicking, then they are probably ok. However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

Re:Where are the security trolls?

[iCEBaLM]

That's Lowe's problem, or at least it should be. If a company is like a person then there's no excuse. If you ask a person to ship you free things, and they do, then I fail to see how this is a crime.

Re:Where are the security trolls?

[ClickOnThis]

On top of that, theres intent to sell.

If you get a $250 discount off a $1000 TV by accident and then keep that TV for yourself, the law is pretty much going to ignore you.

But if you get a $250 discount off a $1000 TV by accident but then use said accident to buy 500 TVs and proceed to re-sell all 500 TVs for $900, the law will happily slap you down.

I dunno. $750 might very well be a reasonable price for the item. If you bought 500 of them in good faith, and sold them to get the arbitrage, I think it might be hard to prosecute you. (Dealer authorization issues notwithstanding.)

On the other hand, if you got them for a price that was indisputably far below their market value because of a glitch in the seller's software, then I think the law can step in.

In either case, it's probably up to the courts to decide who prevails. As it should be.

Re:Where are the security trolls?

However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

If you can do that, they are asking the users computer to tell them what the price is / should be, and the computer not being a person, this thus becomes asking the user.

Basically a "name your own price" scheme, as has been used before for things like music and indie-games.

I would not consider any place a civilized country where a customer could be convicted of answering "nothing" when asked what he wants to pay for an item. In any reasonable law, that answer is considered an offer to buy the item at that price, and it is up to the shop to accept or reject the offer.

class warfare

[PopeRatzo]

When a consumer exploits a bug in the system, they get arrested. When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".

Wells Fargo

[Herkum01]

Did Lowe's contact them, submit a ticket complaining about the problem? Unless they spent 3 hours waiting on the phone, I think they jumped the gun calling the police.

Sounds ridiculous? Well that is what Wells Fargo was doing to its customers and it was called an accounting error. Trying calling the police on Wells Fargo when they are making up bank accounts in your name, or forcing you to buy un-requested care insurance.