suitable balance has been accrued that can actually be extracted

The authors encountered this logic flaw in the retail application of a software

vendor.

The Functionality

The application allowed users to order software products and qualify for bulk

discounts if a suitable bundle of items was purchased. For example, users who

purchased an antivirus solution, personal firewall, and anti-spam software

were entitled to a 25% discount on their individual prices.

The Assumption

When a user added an item of software to his shopping basket, the application

used various rules to determine whether the bundle of purchases he had cho-

sen entitled him to any discount. If so, the prices of the relevant items within

the shopping basket were adjusted in line with the discount. The developers

assumed that the user would go on to purchase the chosen bundle and so be

entitled to the discount.

The Attack

The developers’ assumption is rather obviously flawed and ignores the fact

that users may remove items from their shopping baskets after they have been