Discovered a Loophole, What to Do?

Hi All,

I have a question of ethics here… I recently discovered a loophole on a big retailer website. Basically I am able to make orders without paying anything, I've confirmed it 100% works.

Unsure as how to act here… my obvious options are:

  • Report the issue to the company
  • Do nothing
  • Take advantage of it

What are your thoughts on these sort of things? I'm torn.

PS: No, I won't disclose the name of the retailer or how it works.

Comments

  • +66 votes

    A loophole? That's disgusting!

    Please tell me the website immediately so I can avoid it!

  • +14 votes

    To the O.P.

    When you ask the OzBargain community these things, there will be members that are on their high horses that claim they have never done anything unethical in their entire life, and preach that you should do the same. However, when they think no ones around.. do you think they will act the same way?
    According to the votes on this deal (which was originally posted for Hotmail users https://www.ozbargain.com.au/node/91344), there are a lot of silent members who won't publicly speak about promoting or partaking in "unethical" actions.. sweatshops in shoe factories, foxconn to name a few. It'll be a lot like this
    A little loophole is nothing.
    Either go on a crusade against unethical actions of the world or don't do it at all.
    Please note, most of the opinions here would be likely to sway towards "report it to the company" as the silent majority would gladly partake in whatever loophole you have found if they knew about it.

    If anything, the loophole is the retailer's programmer's inability to perform. No one expects a friendly reminder of things you're doing wrong from the general public, if you make mistakes that cost the company, you're at fault and you deserve to be fired. Usually the person who reminds the person that they're wrong.. doesn't get rewarded, they usually get a broken relationship with the programmer.

    Behind every great fortune, is a great crime. - Chris Rock, 2009
    Sale of cigarettes
    Is it ethical to produce cigarettes? Is it ethical to produce alcohol such as wine, beer, spirits? One causes lung cancer, the other causes liver damage. Such questions would be a lot more important than the loophole here buddy :)

    • +2 votes

      Life is not black and white. Our struggles are our struggles, not someone else's. Our crossroads are our crossroads, not someone else's. Cwongtech, Just because you are either "all in or all out" doesn't mean everybody else should be the same.

      OP, you seem to be a decent human being that enjoys bargains, like I imagine the majority of us are.

      I would not bring the OzBargain community down to a bunch of people that would steal, pilfer, deceive and take advantage of others at any given opportunity. We do like to partake in bargains, but there is a grey area across some of what happens around here too.

      cwongtech, Don't be so harsh on someone for wanting to do the right thing. And don't belittle them for trying to do the right thing by others.

      OP, Don't let other people's apathy, cynicism or resentment affect how you feel about and act towards others and the world we live in. We walk in our own shoes, not theirs.

      I believe you put the question out here to assist you in making an informed decision. if you decide to tell the retailer, that's your decision. If you decide not to tell them, that's your decision. In the end, it's your decision, not someone else's.

      • +2 votes

        I would not bring the OzBargain community down to a bunch of people that would steal, pilfer, deceive and take advantage of others at any given opportunity. We do like to partake in bargains, but there is a grey area across some of what happens around here too.

        No but clearly OzBargain members are happy to take advantage of unintended discounts See toilet paper threadsLink2

        I believe you put the question out here to assist you in making an informed decision. if you decide to tell the retailer, that's your decision. If you decide not to tell them, that's your decision. In the end, it's your decision, not someone else's.

        Agreed, but just wanted to remind the OP there will be a bias of opinions when you ask such questions. It's like asking "Which corporation would like to make a lot of profit?" I bet you 100% of the time if the PR employee had to answer the question, their response would have keywords such as "ethically" "sustainably" "responsibly".

        Our crossroads are our crossroads, not someone else's. Cwongtech, Just because you are either "all in or all out" doesn't mean everybody else should be the same.

        "I like to do a little sin, but not too much." That makes you a sinner.
        "I like to do a little bit of good, but not too much." That doesn't make you an angel
        "I like to take a few photos." That doesn't make you a photographer
        "I like to write." That doesn't make you an author
        "I like to lift sometimes." That means you aren't pushing to the limits.
        In all these cases, you should either do it with a passion, or not do it at all. Go hard or go home. If you don't do either, you're in the middle, you're wasting time.

        • +4 votes

          "I like to drink alcohol occasionally." Does that make me an alcoholic?

          Go hard or go home. If you don't do either, you're in the middle, you're wasting time.

          Ahh, so moderation is the enemy? What rubbish.

        •  

          @mcmonte:
          It doesn't make you an alcoholic but it makes you a drinker.
          If you're going to destroy your liver, make sure you drink something that's worth it.. please don't be a bogan and waste your liver on goon.. drink something nice you'll enjoy :)

        • +4 votes

          Are you a Sith? Only Siths deal in absolutes

    •  

      Chris Rock may have said that but it's not his.
      http://quoteinvestigator.com/2013/09/09/fortune-crime/

  • +3 votes

    its pretty simple
    if the site has alot of negative reviews - you exploit it

  •  

    Not sure how you have been doing this but if you have the goods shipped to your house they could track you down if/when they find the loophole. Myself, I would notify them of the loophole, if you want to do it anonymously then open a fake email address and send it from there.

    •  

      Not sure what they would do when they track you down. If it's a loophole in a big retailer, I'm sure OPs order would have been buried amongst 1000s of orders. I would definitely not notify them (if I could turn back time!)

      • +1 vote

        I would think it isn't hard to do a search on orders that have $0 cost.

        •  

          Its not that hard, either search for $0 orders, or if it invoices at a value but doesn't collect payment then you look for where value of payment is lower than total combined payment less discounts.

          Look at things like where discount from coupons is higher than X%, etc.

          It's easy.

        •  

          @Drew22:

          Look at things like where discount from coupons is higher than X%, etc.

          Be extra careful, consider it unauthorised discounts :) Just pay 50% of what its supposed to be then.

  • +2 votes

    Do what your gut tells you. Everyone's different

    Just don't put them out of business!

    Perhaps this IS the karma bit where you're being paid back kindly so if you don't collect now there won't be another chance

    •  

      Gut doesn't exist. Don't trust your gut, trust your brain.

  •  

    Thing to also remember, once finding said loophole they may have the possibility of checking orders that may have used the hole

    As you said it's not small change, could be worth their time chasing money owed

    •  

      OP should offer to tell them about a loophole on their website, in exchange for not being charged for whatever he obtained when exploiting it.

  • +11 votes

    sounds like a researcher doing a social experiment. not a lab rat so no answer from me.

    • +1 vote

      I concur. Who the hell brags about this on OzBargain?? If he goes ahead, the lawyers will have all the evidence they need to convict him if they find out. If he doesn't go ahead, then he's going to feel bad for missing out on great 'free' deals.

    •  

      No social experiment, I wouldn't be wasting my time posting hypotheticals.

  •  

    lets hope its the apple store, free iphones would be good :)

    • +1 vote

      Pull out game not strong

  • +6 votes

    how did you find it? was it coincidence? or do you like to test websites for any loopholes?

    in other hand I know a loophole in company by mistake that's giving me ~$20 off each month. I have been using it for 3 years so far. At least I am paying something and count this as a discount for their bad service between time to time.

  • +15 votes

    I hope it's Harvey Norman

  • +1 vote

    Well, exploiting a loophole might be illegal and cause problems. If you get an item for free and you don't pay for it you might be accused of a security breach or something similar. Sounds ridiculous but I think that if your actions result in a financial loss for a retailer and these actions were not something that 'a reasonable person would do', he has a right to sue you. So be careful here.

  • +5 votes

    OP, did you manage to get that Groupon code to work?
    ;-)

    • +1 vote

      haha… I didn't end up going ahead with it.

  • +4 votes

    Do NOTHING

  • +5 votes

    id keep doing it, dumb retailer should check if customer has actually paid before shipping..

  • +1 vote

    Whats the store?

  • +2 votes

    Is this a real situation ???
    Or are you just a researcher putting forth a hypothetical and then collecting 'data' based on answers given ???

    • +5 votes

      Yeah, that's essentially blackmail.


      If you get caught exploiting a loophole to obtain goods you could face legal troubles. Arguing that it is their fault won't save you. You can't steal stock from the store because you know that their warehouse door lock is broken. You can't steal a car because the owner left the door unlocked. You can't steal things from a retailer because they're unaware of a security exploit.

      Inform them of the problem but don't hold your breathe expecting a reward. You'd be lucky to get a thank you.

      • +3 votes

        You can't steal things from a retailer because they're unaware of a security exploit.

        Is it stealing when it's a coupon code that's not working as it was intended to? I.e. kitchenwaredirect - I'm fairly sure this was unintended (https://www.ozbargain.com.au/node/201433)

        Free shipping for items under $5?
        I.e. the transaction goes through with some extreme discount that was unintended. Would you call that stealing? Would you call that ethical?
        What makes transactions ethical and unethical?
        What makes the prices ethical and unethical?
        What if you knew the profit margins on an item?
        How do you class high margins?

        I would only tell the retailer if it's indeed a security exploit - a cause for concern should it lead to other customer's private details being leaked.

        •  

          Taking advantage of a mistake isn't the same as exploiting a system and gaining things by deception. Companies can legally refuse to honor a deal if it is an honest error (bait and switch is obviously different).

          I wouldn't argue jumping on a great deal is unethical because you haven't illegally altered and abused the system the create it, it is a mistake on the retailer's end and it is their responsibility and ultimately their choice whether or not to honour the deal or refuse. Refusing often creates some bad PR for the company so they'll often choose to honour it to avoid a shitstorm.

          What this boils down to is that the OP is asking whether or not he should engage in fraud. The answer legally and morally is no.

        •  

          @Juddy: true, though is not always a (conscious) choice by the retailer to honour the deal… Many places are large enough that the chap being told by the computer system to ship out XXX has no idea what was paid or not paid - invoices are sent separately by an automated system.
          (Case in point, (IIRC) a friend was once browsing a telco's website for a mobile & saw one offered for free [it was a mistake, he wasn't on contract] he "bought" it and received it. The invoice was emailed ($0) and the packing slip that came with the phone didn't mention anything to do with payment).
          There often is no auditing/checking of orders once a computer system has approved them…

      • +2 votes

        I don't think it's blackmail unless you are threatening them.
        It's like saying, 'I found a way that thieves could get into your warehouse, and I'll tell you if you compensate me for my time in finding it', if they said no, and you don't tell anyone the hole or act on it, then I don't think that there is anything wrong with that.

        • +3 votes

          consider yourself a security contractor and just send them a reasonable bill for the info

        •  

          If you are asking for some form of compensation it could easily be interpreted as blackmail. There is am implied threat that you know something that could cost them financially. Not everyone might interpret it that way, but you have top be very careful with stuff like this.

        •  

          @Juddy: that's a good point to be careful, even act anonymously, but you are under no obligation to report issues at all just because you know about it.

          Might be a good idea to CYA and return the items to ba clueless sales assistant with just a vague story that it "was sent by mistake" while recording that it has been turned on video, and flee. Then they can't claim theft if they figure it out.

        •  

          @Calam05:

          Speculative invoicing is illegal…

        •  

          @Drew22:

          hahaha ok just ignore what i suggested ^_^

  • +9 votes

    There's no point in just handing this information over to the business for no reward. If you want to try and get something out of it, then you could order yourself a new TV or computer or something and see how far you get. If you keep aside the money to pay for the item, you can always pay for it once they notice what's happened. However, the stress you'll feel over whether they're going to catch you out or not isn't worth the risk in my opinion. And even if they follow through with sending the item to you for free, if it's worth their time chasing it up, they can easily take you to court after the fact. A new computer (for example) isn't worth that stress.

    Another option is sell the exploit to someone else, who will then make use of it. The problem with this scenario is if the person uses it and gets caught, they will dob you in; you could get in trouble for the small amount of money/favours you obtained from this person. If the person doesn't get caught, then you benefit in a very small way, while they benefit greatly. Having said that, if they don't get in trouble, you can still perform the exploit yourself later.

    Probably the best thing you could do though is to share the exploit with many people. This way, large numbers of people will benefit from it, and the company will jump into action trying to fix the loophole, but will in the end probably honour some of the orders to make up for the mistake. They can't prosecute everybody, so they will cancel some/all orders, possibly honour a few, patch up the hole and learn their lesson. If you shared the loophole here, the community would benefit, and even if it came to nothing, it would still be fun. While you wouldn't benefit as much financially, your reputation among OzBargainers would be cemented, and we could all have fun discussing this situation for years to come.

    TL;DR It's best for everyone if you share the loophole here. :)

  • +3 votes

    What are you after Op?
    Bragging rights?
    Recognition?
    Money?
    Free stuff?
    Warm and fuzzy feelings?

  • +5 votes

    troll

    •  

      Agreed, reported.

    •  

      Troll why?

      • +1 vote

        because you don't give the exploit to public so everyone can take advantage of it.

        •  

          Finders keepers :p

  • +5 votes

    OP if you have a kid and they ask you the same ethics question what would you teach them? there's your answer. .. good luck

    • +1 vote

      it doesn't matter, everyone ends up being corrupted anyways. We only just justify it to make it not sound evil.

      •  

        educate them early so they can have early advantage from the rest of the kids

  •  

    Don't do it OP! Look what happened to Edward Snowden when he snitched! He had to leave the country!

  • +6 votes

    OP, you posed a question and gave three alternatives, yet didn't think it was worth making a poll?
    I demand a vote!

  • +1 vote

    I hope you are not talking about AU newspaper websites where you have to subscribe to read articles, because everyone knows in incognito/private browsing mode bypasses the subscription and you can read as many articles as free. ooops have I said too much?

    • +1 vote

      Then those that put everything behind a paywall, they load the content first then an overlay to hide the content.
      Just hit stop before it finishes loading the whole page and read away.

  •  

    So OP commits fraud and then admits knowingly committing said fraud on a public website.

    •  

      And then wants other people to tell him/her it's ok…

      Well, it does make for interesting reading!

  • +1 vote

    Not sure why OP posted this, since everyone should know what the right thing to do is..

    Maybe I should post what should i have for dinner tonight ??

    and no its not chicken tonight..

  • +2 votes

    I don't think this is likely an ethical question.

    It is more likely a legal one. If the loophole results in you getting what is not rightfully yours it is theft/stealing?

    If it is a case where there has been an oversight by the retailer where they are selling items at a very low price (e.g. due to coupon stacking) this is somewhat of an ethical issue.

    I would try imagine what the retailer would do if I entered an order incorrectly. e.g. I know airlines (esp Tiger), will charge you alot to change flights if you booked incorrectly, even if you call them within 5 minutes.
    Others like meelec have been very nice about changing orders etc.

  • +3 votes

    I've read up about whitehat hacking. companies don't like when you tell them a flaw of their system, it's more work for them. There won't be a reward and they probably won't thank whoever reports it. They may even open an investigation and accuse the "hacker" of exploiting the vulnerability.

    So I would vote "Do nothing" out of the 3 options.
    Clearly some of us would take advantage of the loophole, but I wouldn't advocate that.

  • +2 votes

    Post the info here and I'm sure the company will fix their problem faster than they can ship all the free goodies!

    •  

      Full disclosure is the only way.

  • +2 votes

    Just going to chime in here but I also have found an exploit of sorts through coupons at a certain retail store.

    Haven't yet used but I know of it and am 100% it works.
    Probably not going to report it.

    •  

      I have a 100% sure fire way to get free cars from my local car dealer, I don't think they've caught on, but I cant find enough storage space, any tips?

  • +1 vote
    •  

      Interesting…I guess it is easier for the tech department to blame a hacker than admit they had a major bug in the system which can potential make starbucks lose a ton of money.

  • +2 votes

    You should come clean to the big retailers as they are honest and never commits any fraud or underpay staff.

    • +2 votes

      Why yes of course
      </sarcasm>

      •  

        Now let us pray to our lord and saviour Gerry Harvey.

  • +4 votes

    It is stealing and when you use the product, you will always be reminded that you stole it.

    Dont sell your integrity for $x amount of dollars. You are worth more than that.

  •  

    Would you walk into the store and physically steal the items?

    Exactly.

    • +4 votes

      Should a store lack CCTV, sufficient staff and antishoplifting devices, you would be surprised how many would :/

      • Greed is not a financial issue. It's a heart issue.
      •  

        Just because we may be surprised by how many actually would, doesn't mean that we should ignore or forget the fact that MOST people still wouldn't.

    •  

      At the end of the day yes both are stealing but walking in and stealing an item vs a broken website that allows you to checkout for free are different situations.

  •  

    edit

  •  

    http://forums.whirlpool.net.au/archive/2448989…

    Anyway, I think the 'loophole' might be In their payment section. I, for one, was able to discover a loophole in 'receiving' itineraries for flights with Airlines with an Expired Visa The payment would go through, book the seats. BUT I NEVER GOT THEM FOR FREE..USED them only to EXTEND the time i HAVE to BUY the cheap tickets that were on special and needed TIME to think about it… They would call me a few days later require a 'real CC' in which if i wanted the ticket I would give and if i didn't then cancel.

    Is this the type of'loophole' OP?

  •  

    I think I found the site…And prob know how the loophole works but too worried to try

  •  

    Get all the orders shipped overseas, so no chance they can track you down lol

    •  

      IP addresses are provided by phone and internet companies.

      Using another person's internet could work, or so might a prepaid cell with fake info that's never been at your house or work and completely paid for in cash (including credit).

      I would try to find a country…

  •  

    Is it by chance got anything to do with PayPal? I shopped online on Friday morning and the debit is showing on PayPal transactions but not on my credit card. Other transactions through PayPal have gone through as normal and show on credit card. It is like there is a missing link between PayPal and my credit card for this store. My PayPal balance is zero.

    • +1 vote

      it once took PayPal a month to debit my account for an ebay purchase, thought I was off the hook then BAM! fear not though, they will eventually get around to processing the transaction

      •  

        It is strange because I did another transaction straight after and that went straight through and shows in both PayPal and credit card

  •  

    Is it the "Shoplift" Magento (ebay) bug ?

    28% servers still unpatched in Australia…
    still pretty high

    https://shoplift.byte.nl/geograph

  • +1 vote

    You're torn between acting ethically or unethically. But ethically there is no question. The moral choice is to report it to the company regardless of whether they may reward you or not. Whether you have the strength to do this is the question.

  •  

    I cannot tell you what you should do but I would have reported it back to retailer. At the end of the day you should feel good about what you did. Also I do feel someday they will come to know about it.

  • +1 vote

    It's Groupon

    •  

      Yes.I guess OP finally got the coupon working like a charm,a 100% off coupon!

      •  

        That's how i came to the conclusion. He bought the trip…and know questioning his actions!

        I love being a detective! ;)

        •  

          Looks like we're all going to Thailand!

  • +1 vote

    Seriously…

    Exploit it minimally… Profit!

    The other alternative is to report it, then the CEO gets lawyers involved, the lawyers accuse you of hacking them (even though the CEO understands their own mistake), and you end up spending thousands of dollars per day defending yourself.

    I'm saying this from experience. I can't give more info because of legal agreements.

  • +1 vote

    What are your thoughts on these sort of things? I'm torn.

    Well, all of us have given you our thoughts on those sort of things.

    But how about your own thoughts? And I quote:

    1.- The OP is not legally a criminal until found guilty.

    3.- We don't know if the OP actually caused damaged.

    You have not taken advantage of the loophole (even if you did) until found guilty under the rule of court.

    Nobody will know if the OP (you) actually caused any damages until found guilty under the rule of court.

    <Dalai Lama-esque Wisdom>
    Search for the answers within yourself
    </Dalai Lama-esque Wisdom>

    BTW, did you end up buying a new car recently? If you did and one day you accidentally left the door open with the keys still in the engine would you prefer if the would-be burglar:
    1) not steal your car
    2) steal your car
    ?

    Or if that analogy is not good enough, then assuming car = website, then your belongings inside the car = the products on the website. So I change my question to: would you prefer if the would-be burglar:
    1) steal your phone and your wife's jewelry
    2) not steal your phone and your wife's jewelry

    • +2 votes

      That's not really an accurate analogy. The website is typically intended for public access, your car isn't. Stealing stuff from a car is similar to the following:
      victim connects to a public wifi
      victim has anonymous ftp running
      randomguy2015 notices ftp on the network and finds it doesn't have authentication, and actually connects to it.

      Steals phone and wife's jewelry = stealing files on the unsecured share.

      :)

      A more workable analogy would be, if OP was walking into the train station (website), and then walked into the toilet and found a police handgun next to the sink (security vuln). Now his quandary is whether he should:
      - ignore and walk away (since he's probably not an American :P)
      - keep the gun because … ummm he's in a bit of trouble with the Sydney realestate mob :P
      - call 000, stick around and answer a billion questions; and run the risk of being detained.

  • -1 vote

    I call BS.