Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Businesses Crime Security

Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It (bleepingcomputer.com) 239

An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.
This discussion has been archived. No new comments can be posted.

Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It

Comments Filter:
  • I clicked to read more so I could see how many people would be saying that it's not really theft if Lowes didn't prevent it from happening. You know, like if a shoplifter walks out of their store with a $20 impact socket in their pocket, and Lowes didn't notice him doing that, then it's totally Lowes' fault that he stole that.
    • by chuckugly ( 2030942 ) on Sunday August 20, 2017 @04:54PM (#55053725)
      More like if Lowes self checkout station set the price on some goods at $0 if they were scanned upside-down, and people just checked out and left. And then got arrested.
      • by JaredOfEuropa ( 526365 ) on Sunday August 20, 2017 @05:07PM (#55053773) Journal
        This is more like those people hearing about that trick (or maybe finding out themselves), then making sure they scanned every item upside down. It's similar to incorrectly priced items, and over here (NL) the law is sort of clear on that. If an item is priced too low by accident (or rung up incorrectly at the register), the customer gets to keep the purchase at the lower price... unless there is a "clearly apparent mistake". A €1000 TV priced at €800 would not be a clear mistake; a €200 discount would be a really good one, but plausible. That same TV priced at €100 is clearly a mistake though. Same as someone who manages to order over $18.000 worth of goods on a $20 gift gard because of a flaw in the system. Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here. How does that work in the States?
        • by ShanghaiBill ( 739463 ) on Sunday August 20, 2017 @05:11PM (#55053797)

          Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

          But would they be charged with a crime?

          • Nevermind that, would the stuff even blend?

          • I've no idea, honestly. A lot depends on the exploit they used, how well they cooperate once caught... In this case the fact that they went all out and put a bunch of their ill gotten items up for sale doesn't speak well of their intent. My guess is yes, they would be charged. But if you get a €20 card and use it to order €100 worth of stuff and kept all of it for yourself, I doubt there'd be any charges.
          • by ClickOnThis ( 137803 ) on Sunday August 20, 2017 @06:09PM (#55054005) Journal

            Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

            But would they be charged with a crime?

            If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

            • by Registered Coward v2 ( 447531 ) on Sunday August 20, 2017 @06:51PM (#55054131)

              Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

              But would they be charged with a crime?

              If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

              Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.

              • Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.

                In the Land of Affluenza, anything seems to be possible. Some call it "the land of unlimited possibilities" after all...

          • by AmiMoJo ( 196126 )

            In the UK they might, if it could be shown that they realised what was happening and decided to abuse it. All EU countries are similar I think.

            It's similar if someone accidentally transfers money to your bank account. If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money. You could not have reasonably have thought it was yours. If it's just 100 Euros and you normally get thousands a month from your job anyway it could be an honest mistake to sp

            • Re: (Score:2, Insightful)

              by Anonymous Coward

              This involves a ton of contract law and consumer protections laws, which span huge volumes of the law. Trying to condense this to a simple yes/no is going to miss a ton of nuance.

              But, ultimately, if the seller can demonstrate that the buyer had intent to defraud, they will have no problem prosecuting the buyer.

              In the case of Lowe's here, intent to defraud is pretty clear, since a) the software glitch was used repeatedly and consistently - showing that it wasn't an accident nor a mistake - and b) no honest p

            • If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money.
              Actually not.
              The guy who made the wrong transfer can cancel it.

              Such mistakes happened and the receivers did not get charged. Especially if it is an error of the bank, as a twisted account number.

              • >> If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money.
                > Actually not.

                It depends on the Country you are in. My understanding is that under the Union Jack it's called "Theft by finding."

                The trick with laws is to remember that what is right is not necessarily the law, and what is the law for you is not necessarily the law for someone else.

            • by hjf ( 703092 )

              Heh, here in taxland (Argentina) we have tax on deposits. 0.6% of every deposit in any account. So if someone deposited 1M in your account and removed it, you'd still get taxed $6K.

              It has happened before.

          • But would they be charged with a crime?

            This couple (likely) did something to activate the 'mistake' in the website, once they intentionally repeated their activation they flipped from customers to thieves, so they should be charged with a crime.

            I suspect they discovered some 'test' credit card info that Lowe's uses to test the software that by-passes credit authorizations, likely revealed to them by a friend or relative that works at Lowe's corporate offices.

            If what I suspect is what happened, that would be an example of a chargeable crime.

            If th

          • Re: (Score:3, Insightful)

            by intermelt ( 196274 )

            Most references to US law imply that they would need to return the merchandise or pay for it if it is an obvious error in pricing. However this all probably depends on how they received the discount on the merchandise. If it was a coupon code or certain methods of clicking, then they are probably ok. However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

            • Re: (Score:2, Insightful)

              by Anonymous Coward

              However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

              If you can do that, they are asking the users computer to tell them what the price is / should be, and the computer not being a person, this thus becomes asking the user.

              Basically a "name your own price" scheme, as has been used before for things like music and indie-games.

              I would not consider any place a civilized country where a customer could be convicted of answering "nothing" when asked what he wants to pay for an item. In any reasonable law, that answer is considered an offer to buy the item at that p

          • But would they be charged with a crime?

            That really comes down to intent. If a mistake happens and you walk away with a lot of change then no crime was committed. You're not required to correct other people's mistakes.

            If you knew that one person made the same mistake over and over again and you went to that specific person to knowingly exploit his mistake then you're defrauding them. That is a crime.

            I bought 4 HDDs for $23 ea from an online retailer in Australia (list price $230 at the time). I did it once. The law is on my side. If I went back a

          • by Aereus ( 1042228 )

            I assume they repeated the exploit an inordinate number of times to attempt purchasing $250k worth of products. Therefore the intent to defraud Lowes was clear.

          • Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

            But would they be charged with a crime?

            It depends on scale, doing it now and again on small things for yourself would probably get you told off. Ordering a quarter millions worth of everything you can and you'd probably be looking at some kind of fraud or intent charges.

        • by ClickOnThis ( 137803 ) on Sunday August 20, 2017 @06:07PM (#55053999) Journal

          Come on everybody. This is Slashdot. We need a car analogy.

        • Which state? The United States has 50 states with often different laws. They may be some federal over reaching laws but the details are managed by each state.

          Normally a store can refuse to sell until they pay.

          Often they will let mistakes like this slide as to keep the customer happy and there isn't the big of a loss. But they can refuse to sell if there is a mistake in the price... but if they don't fix the problem quickly then they may be going info false advertising.

          For Lowes, I expect if these people

        • by hjf ( 703092 )

          In Argentina there is no "clear mistake" option. The seller is obligated to sell the product at whatever price he put in the price tag. It doesn't matter if it was a mistake. Learn from your mistakes, I suppose.

          I filed a claim against a seller for precisely that. They were selling a machine with 64% discount. I paid for it, then they canceled the order. So, I filed the claim. There was no mistake, though. It was labeled "HOT SALE". So if they advertise "AMAZING DEALS" and one product is 64% off, then it's

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        If you picked up a couple of goods like that in a basket, I'd call the arrest unreasonable.

        If you went back and picked up an entire trailerload of those goods and only those goods, and walked out without paying a cent, I'd say at that point you should have realized something was wrong, and now we've got clear evidence of malicious intent.

      • Maybe the first time, but not the $250,000 worth of consecutive times. By then it's intentional.
    • by sjames ( 1099 ) on Sunday August 20, 2017 @05:02PM (#55053749) Homepage Journal

      Don't be silly. This wasn't just Lowe's not noticing some stealthy action, this was Lowe's willingly packing up and shopping the goods to the couple after receiving no money.

      Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

      Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.

      • by mikelieman ( 35628 ) on Sunday August 20, 2017 @05:08PM (#55053779) Homepage

        Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

        Lowes is just full of fail on this one.

        • by Dragonslicer ( 991472 ) on Sunday August 20, 2017 @06:03PM (#55053975)

          Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

          How would a warehouse worker or truck driver know that the customer wasn't correctly charged by the website for their purchase?

          • by blindseer ( 891256 ) <blindseer@noSPAm.earthlink.net> on Sunday August 20, 2017 @07:09PM (#55054187)

            Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

            In the Army there's a lot of delegation and division of duties. I've seen this used and abused. A fellow recruit (happened to be prior service Marine so he knew the system better than I) and I needed to get some luggage before getting our orders but we knew that if we simply asked for permission to go to the PX it would likely be denied. He just said to follow him and I did, I watched him go from one sergeant to the next with BS and half truths and in 20 minutes we were walking to the PX. He just did a Jedi mind trick on three sergeants to get us what we wanted. That's a pretty mild abuse of the system and if someone ever asked too many questions it would have been a "don't do that again" warning.

            Another recruit would like to pull this trick by claiming "Sergeant Major says..." which got annoying real quick. Going to ask the Sergeant Major every time would have taken more time than just doing what he asked and I don't know if he got nailed on it. I got my luggage and my orders and I was gone before that happened.

            • by gfxguy ( 98788 ) on Sunday August 20, 2017 @10:02PM (#55054729)

              Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

              The rest of your comment aside, a warehouse worker or truck driver shouldn't need to know the price of the items they are packing and delivering - they get their marching orders from a printout (or electronic message) that tells them what to pack and likely prints a shipping label for them.

          • by iCEBaLM ( 34905 ) on Sunday August 20, 2017 @08:29PM (#55054415)

            That's Lowe's problem, or at least it should be. If a company is like a person then there's no excuse. If you ask a person to ship you free things, and they do, then I fail to see how this is a crime.

          • Normally when retailers ship goods to me there's an invoice that says how much was paid
          • by AmiMoJo ( 196126 )

            Indeed, zero cost orders are not that uncommon as they are used for things like warranty replacements and exchanges.

        • by Ichijo ( 607641 ) on Sunday August 20, 2017 @06:10PM (#55054007) Journal

          So that customer found multiple vulnerabilities in Lowe's order fulfillment process. I think that's worth a bug bounty of well over $13k. Lowe's should say thank you and call it even.

          • I'd agree with you on two conditions. First, if the stuff they ordered were stuff that they intended to keep and use themselves. Second, if they reported the flaw themselves.

            Among the items were 3 vacuum cleaners, multiple pairs of boots, and... $25000 in underwear? Lowes sells underwear? If they hadn't bought enough furniture to furnish their house many times over then they might have an excuse for this being a "mistake". It still could have ended in criminal charges but they'd have a better bargainin

        • Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

          Lowes is just full of fail on this one.

          Agreed. But Lowes did not commit a crime. The NJ couple allegedly did. They found a flaw in their online commerce system and exploited it repeatedly.

          In large corporations, one hand often does not know what the other is doing. Once a shipment is authorized, shipping ships it. Eventually somebody might notice that the same address keeps receiving items for $0.00, and notify someone.

          Yes, Lowes screwed up. But nobody expects a company like Lowes to give away stuff for free. They might be expected to write off a

        • There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

          Nope. You're assuming that every point in the line checks forward and checks back. That's just not the case. The 3 computer functions and the dozen physical acts work in isolation without knowing what happened prior or post. The reason for this plentiful. There are legitimate reasons for some things to be shipped for free. There are legitimate reasons for some things to cost nothing. There's legitimate reasons for multiple bits of paperwork that control different parts of the process being generated (such a

        • Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

          Lowes is just full of fail on this one.

          If you don't know, then you don't understand how a simple work flow works (especially for a big companies/corporations). It is just a simple logic why they do it the way they did.

          Each check point is supposed to correctly validate inputs. If it works properly, there should NOT NEED to have redundant validations along the line later on because other processes do not need to know what other process is doing because it is not their job to validate others' work. In this case, the validation happens at the POS d

      • Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

        Well, unless they were under the impression the gift-card-that-kept-on-giving was a magical talisman, I'd have to lean towards some malfeasance. For certain, their story won't be retold on an episode of Criminal Masterminds... they apparently had the purchases sent to their home and were reselling them on the Facebook

        • by sjames ( 1099 )

          That's why I am suggesting they return the goods and get a non-custodial sentence rather than "not guilty".

      • by xlsior ( 524145 )
        Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.

        Except they've already re-sold part of it for a fraction of the value, so it'll be impossible for them to just hand everything back.
      • by zmooc ( 33175 )

        I'm not familiar with the local law, but I don't think it's a crime unless they refuse to give it back. Where I live that would be the default lawful way to go. The article isn't really clear on this, but it doesn't sound like they asked them to give the stuff back at all. Instead, they went to the police and had them arrested for theft, which it obviously wasn't since the so called victim shipped the goods to them.

        Where I live (the Netherlands), the law is very clear on this: this would definitely not be t

      • Comment removed based on user account deletion
    • by quonset ( 4839537 ) on Sunday August 20, 2017 @06:39PM (#55054089)

      how many people would be saying that it's not really theft if Lowes didn't prevent it from happening.

      And you were correct in your assumption. Looking below, one can find many people blaming Lowe's. Not the criminals who deliberately exploited this flaw, not the criminals who were trying to resell their ill-gotten goods, not the criminals with piles of merchandise they obviously knew were stolen. Nope, it's all on Lowe's.

      One can imagine a scenario where people who go to Lowe's, pick up an item and walk out of the store without paying for it would be considered completely absolved of their crime because Lowe's didn't prevent it from happening.

      It's amazing the excuses used to justify criminal behavior.

    • They exploited a flaw, caused material damage. They also profited from it. Any more questions?

    • I don't know the facts; the article didn't give them. It depends on what they had to do; if they didn't have to actively subvert the site, it's more like they took it to the checkout counter and the register charged them $0 for it. They even have the receipt. Is that theft?

  • >insisted instead that his client just had a really special knack for finding good deals.

    Right, nothing beats a five-finger discount for a "good deal", and add free shipping to boot - priceless!

    • Have you seen any of those coupon shopping reality TV garbage shows? Its perfectly plausible to buy $500 worth of random clearance crap with $10 and a binder of coupons.

      • by swb ( 14022 )

        There's an entire subculture of people that do that. My brother in law used to work in some kind of security department at Target and he worked on a team that specifically focused on people who had kind of figured out how to exploit the system this way. They were serious enough about it to use the security cameras to track people down to their vehicles.

        I don't really know if this was actual fraud, like counterfeit coupons or just collections of really lucrative coupons in combination. The casino analogy w

  • What aisle of Lowe's do they sell that?
  • by __aaclcg7560 ( 824291 ) on Sunday August 20, 2017 @05:03PM (#55053755)
    Many years ago I bought my current desk from the OfficeMax store for $55. Several months later I got an OfficeMax coupon for $50 off ANY desk with no other restrictions listed. So I went back to the store, pulled the desk off the shelf, and presented the coupon to the cashier clerk. The register refused to accept the coupon. When the manager came over, I pointed out the word "ANY" on the coupon, and he overrode the register. I got a $55 desk for $5 plus tax. Later on I got another $50 coupon without the word "ANY" and restricted to $500+ desks.
    • Why do you need two desks?

      • Why do you need two desks?

        One desk for my laptop, file server and 23" monitor, the other desk for my video editing PC, Red Hat Linux PC, and 23" monitor. I also have folding table to store my electronic parts, soldering irons and testing equipment.

    • About 15 years ago when I moved and signed up with Comcast for a cable modem (they were the only high speed choice there - too far for DSL), the lady tried to upsell me by adding a TV package. She said If I bundled the two I would get a $15 discount. and mentioned various TV packages from $40 to over $100. I asked if there was anything cheaper since I had heard about a basic "must carry" level, and she admitted it existed and was $8. I confirmed with her that by signing up for a $8 basic TV package, I would
    • what about the ANY coupons that have a long list of stuff they don't cover.

  • Lol... Isn't like the FIRST FUCKING RULE of software development, "Don't migrate to production until it passes ALL QA tests. And if their QA tests left a hole like this open, time to hire a new QA manager!

    (Lowes, contact me and I'll send a resume )

  • class warfare (Score:5, Insightful)

    by PopeRatzo ( 965947 ) on Sunday August 20, 2017 @05:34PM (#55053865) Journal

    When a consumer exploits a bug in the system, they get arrested. When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".

    • by sjames ( 1099 )

      Mod parent up!

    • When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".

      Those are not bugs. They are intentional features, which were implemented deliberately at the request of the highest-paying customers, like most new features.

  • One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

    Yeah, good luck with the 'good deal' defense...

  • Comment removed based on user account deletion
  • It sounds like they discovered a way to combine a few offers to reduce the purchase price to zero or close to it. If Lowe's made those offers (intentionally or not) and the couple didn't change the pricing through hacking the system, this is indeed just high-tech bargain hunting. If they changed any of the site's content (even if it's client-side code), then it's manipulation which could be considered hacking. But if all they did was take advantage of the offers, Lowe's made them, then it's just criminal
    • It sounds more like they were using fake/non-existent gift cards, as the summary and article state there was a flaw in the Lowe's gift card "module." An acquaintance did something similar (though likely much more low-tech) at a restaurant where he worked. His method was obviously illegal, though he got away with close to $50k in embezzlement before he got caught, and convicted.
  • Wells Fargo (Score:5, Insightful)

    by Herkum01 ( 592704 ) on Sunday August 20, 2017 @07:45PM (#55054267)

    Did Lowe's contact them, submit a ticket complaining about the problem? Unless they spent 3 hours waiting on the phone, I think they jumped the gun calling the police.

    Sounds ridiculous? Well that is what Wells Fargo was doing to its customers and it was called an accounting error. Trying calling the police on Wells Fargo when they are making up bank accounts in your name, or forcing you to buy un-requested care insurance.

  • When there are no customer service agents to assist, and the answer is always "what does the website say?", this is the risk you run. At what point does it become a customer's responsibility to sanity-check a massive corporation's self-service portal? I say at no point. If your system stacks multiple discounts and you don't have rock-solid rules and checks, and I find a way to reduce the price to zero, then I assume that *is* a really good deal I've found. This is extreme couponing, not hacking. If an instant cash-back offer is more than the sale price, am I stealing? I think not.
  • Comment removed based on user account deletion
  • One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

    "Yeah, your honor, I was on the website and I pushed some stuff and it started sending me free stuff. I didn't mean it!"

    Which of course is invalidated the moment they use the 'problem' again for more and more free stuff. Shameful.

    Unlocked door doesn't make it suddenly OK to steal other people's stuff, sorry!

  • I needed a circular saw; mine broke today.

    Lowes, you just 'lost' a 'customer'.
  • Back in the 1990s you'd get the occasional feelgood story on TV about someone using stacks of coupons to get a cartload of goods for a couple dollars.

    They'd use multiple double or triple coupons with a series of other coupons and such to make many of the items free when you bought them with other items that were heavily discounted.

    If these people used a flaw in the gift card system, it sounds like something similar.

    • by devjoe ( 88696 )
      Unless the flaw in the gift card system they were exploiting was by checking the balances on Lowe's gift cards they didn't own, but had determined the sequence of numbers for, and spending other people's balances as soon as they saw the cards had value. Or they found some way to recharge a gift card without paying money. Or some similar glitch in the gift card system.
  • The reason they were able to get the good was the direct result of a bug in the website, and they were not responsible for the creation of the bug or what the bug could exploit, therefore, leaving the couple completely in the clear. The couple could easily explain that they figured the bug was a feature and because they had no hand in the original design of the website / infrastructure, they had no way to know or question its operation.

No spitting on the Bus! Thank you, The Mgt.

Working...