NEW YORK (CNNMoney) -- A group of security researchers say software flaws in the ways major merchants have implemented payment systems from PayPal, Amazon Payments and Google Checkout allowed them to buy products online for free or at a deep discount.
As a result, study co-author XiaoFeng Wang said his group was able to procure items like DVDs and electronics chargers by gaming the system in multiple ways. They could add a discount of their choosing, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item.
In some cases, the researchers convinced merchant sites that they had paid for an item in full -- while actually making the payment into their own seller account at Amazon.
The researchers made clear that most of the security lapses were on the third-party merchants' side, not the payment processors'.
Amazon did not respond to requests for comment. Google said it was looking into the study results, and emphasized that Google Checkout has multiple fraud detection systems.
Wang compared the logic flaws to a naughty child who wants a piece of candy: The child tells the mother that the father said it was OK, and then tells Dad that Mom said it was fine. If the two parents aren't communicating effectively, the kid gets the candy.
"It's convenient for merchants to use these third-party services because then they don't have to build payment platforms themselves," XiaoFeng Wang said. "But that makes the whole system more complicated -- which means more possible bugs."
Wang said the researchers worked with a lawyer to conduct their tests in an ethical and legal way, and the items were returned to the merchants.
The group also immediately reported their findings to the merchants and worked with them to fix the issues, Wang said. He and his colleagues are scheduled to present their paper next month at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif.
Just 15 days after the group released its research paper, Wang said, Amazon released a new set of software development kits to fix bugs -- and mandated that Web stores to upgrade to the new SDKs within 40 days.
But Securisea CEO Josh Daymont warns that these types of issues indicate "a systemic weakness" in these kinds of services.
"Merchants love to use software as a service so they don't have to build payment platforms themselves," said Daymont, whose company specializes in IT security. "So that architecture isn't going away."
However, Daymont notes, companies like Amazon (AMZN, Fortune 500) and Google (GOOG, Fortune 500) have a lot of other things going on -- and they may not always pay enough attention to their payment platforms' back end. Plus, the onus is on merchants to build secure systems on top of those platforms.
"What typically happens is that companies make the decision not to throw more manpower behind these products, and then something like this IU paper comes out," he said. "It's a classic case of security not being considered until after the product has shipped."
One hero's reward, coming right up. More
Health insurers in California will charge an average of $304 a month for the cheapest silver-level plan in state-based exchanges next year, according to rates released Thursday by Covered California, which is implementing the Affordable Care Act there. But many residents will pay a lot less than that for coverage. More
The Obamacare employer mandate forces businesses with 50-plus workers to provide insurance. But many keep getting that cutoff number wrong, saying it's 51. More