Online transactions rely on a trusted third party, or “cashier,” who bridges the gap between vendors and their customers. The use of a third party cashier, however, also complicates the payment logic and introduces a new class of vulnerabilities that can result in significant financial losses to merchants. Computer scientists found flaws in e-commerce software that allowed them to purchase stationery, candy, and toys online at below their correct cost.

A popular open-source software for e-commerce is vulnerable to being cheated, computer security researchers at the Univesity of California, Davis, have found. By exploiting vulnerabilities in the widely used osCommerce software, the researchers were able to purchase items from online stores for free or substantially less than their correct prices.

“The majority of the payment modules in osCommerce are vulnerable to logic attacks that allow you to pay less or even pay nothing at all,” said Fangqi Sun, a graduate student working with Professor Zhendong Su in the University of California (UC) Davis Department of Computer Science. A UC Davis release reports that the researchers have been attempting to notify osCommerce of the discovered vulnerabilities and to help the developers patch the software. They have also refunded the vendors for items they purchased at below cost during their research.