A group of security researchers say they have found ways to trick online cashier systems into ordering items for free or at a discount.

Researchers from Indiana University and Microsoft Research found security holes in a software development kit from payment hosting provider Amazon Payments, Rui Wang, a Ph.D. student at Indiana University, told CNET in a recent interview. Amazon fixed the problems after being notified by the researchers, and integration bugs found in merchant shopping-cart applications and implementations on several retail sites have also been fixed.

The software they examined contained "logic flaws that can be exploited to cause inconsistencies between the states of the CaaS (Cashier-as-a-Service) and the merchant," and allow someone to game the systems, according to a paper co-authored by Rui, University of Indiana Associate Professor XiaoFeng Wang, and the others. The paper, entitled "How to Shop for Free Online," is scheduled to be presented at the IEEE Symposium on Security and Privacy in May.

Basically, the situation boils down to a shopper being able to give conflicting messages to the merchant and the cashier or payment system.

"Suppose there is a naughty kid, and the only way of communication between the kid, the mom, and the dad is through one-on-one phone calls," Rui wrote in an e-mail. "The kid may tell slightly different stories to the mom and the dad, and eventually gets an approval that he does not deserve. It all depends on whether mom and dad are smart and careful enough."

Specifically, exploiting the multiple-party system in this manner could allow a shopper to swap items after payment is made, reuse previous payment proof for a new item, pay himself or herself to get valid proof of payment to fool the merchant, self-sign a proof of payment, or add more items to the cart while the cashier is processing the payment, Rui said.

"We discovered a real flaw where the merchant is convinced that the order has been paid for in full through Amazon while the payment has actually been made to the shopper's own Amazon seller account," the paper said.

The researchers have some booty as a result of their antics. They were able to get for free a power strip, a device for testing blood-alcohol levels, and a magazine. They set their own price for a DVD, paying $5 below the actual price, and paid less for a more expensive bodybuilding cream. "Everything in the store could be checked out at the price of the cheapest item," Rui said.

The researchers consulted closely with a lawyer and conducted the tests in a responsible manner, informing the companies involved and in many cases returning the items, the report said.

An Amazon representative said the company had no comment on the matter. The company said in an e-mail sent to Rui that it had fixed the problem the researchers found, published a new software development kit, and given credit to the researchers for finding the problem.