Slashdot Mirror
Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It (bleepingcomputer.com)
An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.
More like if Lowes self checkout station set the price on some goods at $0 if they were scanned upside-down, and people just checked out and left. And then got arrested.
Don't be silly. This wasn't just Lowe's not noticing some stealthy action, this was Lowe's willingly packing up and shopping the goods to the couple after receiving no money.
Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.
Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.
This is more like those people hearing about that trick (or maybe finding out themselves), then making sure they scanned every item upside down. It's similar to incorrectly priced items, and over here (NL) the law is sort of clear on that. If an item is priced too low by accident (or rung up incorrectly at the register), the customer gets to keep the purchase at the lower price... unless there is a "clearly apparent mistake". A €1000 TV priced at €800 would not be a clear mistake; a €200 discount would be a really good one, but plausible. That same TV priced at €100 is clearly a mistake though. Same as someone who manages to order over $18.000 worth of goods on a $20 gift gard because of a flaw in the system. Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here. How does that work in the States?
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.
Lowes is just full of fail on this one.
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
When a consumer exploits a bug in the system, they get arrested. When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".
You are welcome on my lawn.
Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.
How would a warehouse worker or truck driver know that the customer wasn't correctly charged by the website for their purchase?
Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.
But would they be charged with a crime?
If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.
If it weren't for deadlines, nothing would be late.
So that customer found multiple vulnerabilities in Lowe's order fulfillment process. I think that's worth a bug bounty of well over $13k. Lowe's should say thank you and call it even.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.
But would they be charged with a crime?
If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.
Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.
I'm a consultant - I convert gibberish into cash-flow.
Okay, car analogy...
Imagine your car goes to the Lowes website to buy tires. Your car finds out a way to get the tires shipped to the house without paying for them. Your car is now selling the tires at half price on eBay, and for some reason you don't mind a pile of tires in your garage. Now, should your car be sent to prison for this, or should your car have the remaining tires returned and then told to... retire... from selling things on eBay?
No, don't get up, I can find the exit myself.
I am armed because I am free. I am free because I am armed.
Did Lowe's contact them, submit a ticket complaining about the problem? Unless they spent 3 hours waiting on the phone, I think they jumped the gun calling the police.
Sounds ridiculous? Well that is what Wells Fargo was doing to its customers and it was called an accounting error. Trying calling the police on Wells Fargo when they are making up bank accounts in your name, or forcing you to buy un-requested care insurance.
That's Lowe's problem, or at least it should be. If a company is like a person then there's no excuse. If you ask a person to ship you free things, and they do, then I fail to see how this is a crime.
On top of that, theres intent to sell.
If you get a $250 discount off a $1000 TV by accident and then keep that TV for yourself, the law is pretty much going to ignore you.
But if you get a $250 discount off a $1000 TV by accident but then use said accident to buy 500 TVs and proceed to re-sell all 500 TVs for $900, the law will happily slap you down.
I dunno. $750 might very well be a reasonable price for the item. If you bought 500 of them in good faith, and sold them to get the arbitrage, I think it might be hard to prosecute you. (Dealer authorization issues notwithstanding.)
On the other hand, if you got them for a price that was indisputably far below their market value because of a glitch in the seller's software, then I think the law can step in.
In either case, it's probably up to the courts to decide who prevails. As it should be.
If it weren't for deadlines, nothing would be late.
You said 'Court' but I want to point out, it's not for the judge to decide, it's for the Jury. This is why we have Jury trials. Specifically it's supposed to be your 'peers.'
The question is asked, "Do you think this person is guilty of stealing from this company?"
The judge says, "This is what the law is and what it says."
The lawyers say, "this is what the defendant did or didn't do."
Then it's up to the Jury to decide if what the defendant did or didn't do counts as breaking the law.
Sometimes it's cut and dried...but if it was always black and white like that we wouldn't need juries. Juries are specifically for cases like this where the people say, "Yes, I ordered all that stuff, but I didn't think it was breaking the law." The people on the jury say, "You know...I probably wouldn't have known it was against the law either." or they say, "Don't be an idiot. That's obviously against the law." That's why they are supposed to be 'peers.' People who 'generally' think the way you do.
Other examples of 'great jury fodder' is self-defense. "I would have done the exact same thing in the situation."
--Welcome to the Realm of the Hawke--
There are a number of occasions in England where a jury's refusal to convict whistleblowers for releasing embarrassing state 'secrets' have done a lot to reign in the government. Yes, you pay a price in terms of some real crimes being unprosecutable as well - receiving stolen goods for example - but overall I think the price is worth paying.
So does your definition of 'civilised' equal 'authoritarian'?