NEW YORK (CNNMoney) — A group of security researchers say software flaws in the ways major merchants have implemented payment systems from PayPal, Amazon Payments and Google Checkout allowed them to buy products online for free or at a deep discount.
The researchers, from Indiana University and Microsoft (MSFT, Fortune 500) Research, said “logic flaws” created inconsistencies between the merchant site and the payment service.
As a result, study co-author XiaoFeng Wang said his group was able to procure items like DVDs and electronics chargers by gaming the system in multiple ways. They could add a discount of their choosing, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item.
In some cases, the researchers convinced merchant sites that they had paid for an item in full — while actually making the payment into their own seller account at Amazon.
The researchers made clear that most of the security lapses were on the third-party merchants’ side, not the payment processors’.
In response to the study, PayPal parent eBay (EBAY, Fortune 500) noted that the issue stems from “developers not following proper best practices when integrating payments.”
Amazon did not respond to requests for comment. Google said it was looking into the study results, and emphasized that Google Checkout has multiple fraud detection systems.
Wang compared the logic flaws to a naughty child who wants a piece of candy: The child tells the mother that the father said it was OK, and then tells Dad that Mom said it was fine. If the two parents aren’t communicating effectively, the kid gets the candy.
