NEW YORK (CNNMoney) -- A group of security researchers say software flaws in the ways major merchants have implemented payment systems from PayPal, Amazon Payments and Google Checkout allowed them to buy products online for free or at a deep discount.
As a result, study co-author XiaoFeng Wang said his group was able to procure items like DVDs and electronics chargers by gaming the system in multiple ways. They could add a discount of their choosing, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item.
In some cases, the researchers convinced merchant sites that they had paid for an item in full -- while actually making the payment into their own seller account at Amazon.
The researchers made clear that most of the security lapses were on the third-party merchants' side, not the payment processors'.
Amazon did not respond to requests for comment. Google said it was looking into the study results, and emphasized that Google Checkout has multiple fraud detection systems.
Wang compared the logic flaws to a naughty child who wants a piece of candy: The child tells the mother that the father said it was OK, and then tells Dad that Mom said it was fine. If the two parents aren't communicating effectively, the kid gets the candy.
"It's convenient for merchants to use these third-party services because then they don't have to build payment platforms themselves," XiaoFeng Wang said. "But that makes the whole system more complicated -- which means more possible bugs."
Wang said the researchers worked with a lawyer to conduct their tests in an ethical and legal way, and the items were returned to the merchants.
The group also immediately reported their findings to the merchants and worked with them to fix the issues, Wang said. He and his colleagues are scheduled to present their paper next month at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif.
Just 15 days after the group released its research paper, Wang said, Amazon released a new set of software development kits to fix bugs -- and mandated that Web stores to upgrade to the new SDKs within 40 days.
But Securisea CEO Josh Daymont warns that these types of issues indicate "a systemic weakness" in these kinds of services.
"Merchants love to use software as a service so they don't have to build payment platforms themselves," said Daymont, whose company specializes in IT security. "So that architecture isn't going away."
However, Daymont notes, companies like Amazon (AMZN, Fortune 500) and Google (GOOG, Fortune 500) have a lot of other things going on -- and they may not always pay enough attention to their payment platforms' back end. Plus, the onus is on merchants to build secure systems on top of those platforms.
"What typically happens is that companies make the decision not to throw more manpower behind these products, and then something like this IU paper comes out," he said. "It's a classic case of security not being considered until after the product has shipped."
Market timing is hard. And making investing decisions based on the calendar is just silly. If you sold in May and went away for the past three years, you missed out on stocks going up. More
A major earthquake was the last thing Nepal needed. Even before one of the country's major fault lines rumbled to life, the country was beset by challenges. More
The LG G4 smartphone has the makings of a revolutionary camera. More
SilverTech Ventures is a new accelerator that offers perks like free office space and access to its founders' extensive networks. More
At elite schools across the country, low-income students feel like outsiders and are working to make it better. More