Slashdot Mirror
Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It (bleepingcomputer.com)
An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.
Many years ago I bought my current desk from the OfficeMax store for $55. Several months later I got an OfficeMax coupon for $50 off ANY desk with no other restrictions listed. So I went back to the store, pulled the desk off the shelf, and presented the coupon to the cashier clerk. The register refused to accept the coupon. When the manager came over, I pointed out the word "ANY" on the coupon, and he overrode the register. I got a $55 desk for $5 plus tax. Later on I got another $50 coupon without the word "ANY" and restricted to $500+ desks.
Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.
But would they be charged with a crime?
So that customer found multiple vulnerabilities in Lowe's order fulfillment process. I think that's worth a bug bounty of well over $13k. Lowe's should say thank you and call it even.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.
But would they be charged with a crime?
If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.
Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.
I'm a consultant - I convert gibberish into cash-flow.
Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.
In the Army there's a lot of delegation and division of duties. I've seen this used and abused. A fellow recruit (happened to be prior service Marine so he knew the system better than I) and I needed to get some luggage before getting our orders but we knew that if we simply asked for permission to go to the PX it would likely be denied. He just said to follow him and I did, I watched him go from one sergeant to the next with BS and half truths and in 20 minutes we were walking to the PX. He just did a Jedi mind trick on three sergeants to get us what we wanted. That's a pretty mild abuse of the system and if someone ever asked too many questions it would have been a "don't do that again" warning.
Another recruit would like to pull this trick by claiming "Sergeant Major says..." which got annoying real quick. Going to ask the Sergeant Major every time would have taken more time than just doing what he asked and I don't know if he got nailed on it. I got my luggage and my orders and I was gone before that happened.
I am armed because I am free. I am free because I am armed.
You said 'Court' but I want to point out, it's not for the judge to decide, it's for the Jury. This is why we have Jury trials. Specifically it's supposed to be your 'peers.'
The question is asked, "Do you think this person is guilty of stealing from this company?"
The judge says, "This is what the law is and what it says."
The lawyers say, "this is what the defendant did or didn't do."
Then it's up to the Jury to decide if what the defendant did or didn't do counts as breaking the law.
Sometimes it's cut and dried...but if it was always black and white like that we wouldn't need juries. Juries are specifically for cases like this where the people say, "Yes, I ordered all that stuff, but I didn't think it was breaking the law." The people on the jury say, "You know...I probably wouldn't have known it was against the law either." or they say, "Don't be an idiot. That's obviously against the law." That's why they are supposed to be 'peers.' People who 'generally' think the way you do.
Other examples of 'great jury fodder' is self-defense. "I would have done the exact same thing in the situation."
--Welcome to the Realm of the Hawke--
There are a number of occasions in England where a jury's refusal to convict whistleblowers for releasing embarrassing state 'secrets' have done a lot to reign in the government. Yes, you pay a price in terms of some real crimes being unprosecutable as well - receiving stolen goods for example - but overall I think the price is worth paying.
So does your definition of 'civilised' equal 'authoritarian'?