Some detractors of President Donald Trump have spent the past few days trying to lock down Trump-branded merchandise by leaving thousands of products from his online stores in baskets. But while the attack has become something of a resistance meme, reminiscent of recent pranks at the president’s rally in Tulsa, it is much less clear whether the hoax actually stopped Trump’s stores from selling merchandise.
Earlier this week, TikTok and Twitter users began posting videos and posts claiming they were “buying” the entire supply of items like Trump baseballs and Baby Lives Matter Rompers, then leaving them indefinitely in the basket, making them unavailable to other visitors. The attacks apparently involved at least two sites: Trump’s official campaign store and his non-political themed Trump gift shop.
FYI: All Trump Baseballs are sold out because I have more than $ 9000 in a basket that I do not intend to buy
– jocelyne (@ jocelyn90028) June 26, 2020
This is a version of a real feat called a “Inventory denial” attack – basically buying huge amounts of limited stock items (or things like restaurant reservations and hotel rooms) but never complete the transaction. This works if a store actually reserves an item when a user puts it in a cart, and it’s more efficient if there are no limits on the number of items people can buy at a time. if the contents of the cart do not expire after a fixed period or if the attacker uses bots to constantly update fake purchases.
However, there isn’t much evidence that items were falsely touted as sold out as a result of bookings – and there is some evidence that would-be store jammers were wrong to claim victory.
A popular tweets, for example, for having bought back the entire supply of baseballs from TrumpStore.com, outside of the campaign. There is no screenshot showing the results, but responses include images of “sold out” errors on other items in the store, including Bottles of water and Hats.
Corn The edge replicated this error message, and it does not mean that inventory is locked. The message appears if a person fills their cart with all available stock of an item, returns to the item, and tries to add more. (It’s easy to get the error because the stock seems low – in my case 13 navy / red baseballs.) But other site visitors can always put the items in another basket. The post apparently just makes sure that a person cannot place a single order that the store is unable to fulfill. It is possible that the store has changed this in the past 12 hours, but there is no visible sign of a change.
Trump’s campaign site works differently. Until recently, users could change the quantity of an item in the cart to any number, and videos show people ordering tens of thousands of items costing hundreds of thousands of dollars, going to the payment page and simply not entering a card. In theory, this could have made the campaign site more vulnerable, and the site has since removed the ability to add multiple items at once, suggesting webmasters may have been rocked by the impending threat.
Trump spokespersons haven’t exactly clarified the issue. On Twitter, campaign manager Brad Parscale recognized a taunt from one of the first accounts published about the attack, which told the campaign that “any programmer worth his salt would explain this … but not all”. Unfortunately, his response was simply “I guess you owe me salt,” which says little about Trump’s web development best practices.
Barring a statement from Trump’s campaign, who did not immediately respond to an email from The edge, there is no evidence that Trump supporters were prevented from purchasing items. We found some videos that show large orders, but not those that show later out-of-print items. (As the baby sleeps on is currently sold out, there’s a 9-hour lag and no firm connection to the prank.) Shopify, which powers Trump’s campaign store, also didn’t answer questions about the attack’s feasibility.
In a final attempt to prove the claims, we decided to test a possible exploit that wouldn’t be fixed by removing the multiple order option: depleting all inventory on a single item out of sheer brute force. A small group of Edge staff members simultaneously filled carts with pairs of $ 70 Trump / Pence gold cufflinks – an item with presumably lower demand and higher production costs than a sign or t-shirt – one click at a time.
Together, four Edge the writers temporarily reserved a total of 16,371 pairs or about $ 1.145 million of cufflinks (using an issue that allowed the “add to cart” link to be clicked multiple times to quickly add multiple copies of an item ), surpassing the highest single item order (10,000 shirts) we saw on TikTok. This led us to some possible conclusions:
- Trump’s campaign store previously “held” items in baskets for individual shoppers, but silently stopped doing so after the attacks – in which case there was no practical reason to remove the multiple orders field as well. .
- The store never stocked items in carts, so attacks were never a threat – but the campaign removed the multiple orders field because it made it look like Trump was falling victim to huge orders a week only after being humiliated by TikTok teens employing the exact same strategy.
- The Trump campaign has a ready-to-ship stock of at least 16,372 pairs of fancy cufflinks – in which case it is Probably ready to resist these attacks.
Regardless of what is correct, it seems clear that the impression of focusing on Trump’s campaign has been far more meaningful than any real inconvenience to Trump fans. But Trump is known to be a president who often cares more about perception than reality – so the bogus orders could have served their purpose anyway.
The Twitter user whose post triggered Parscale’s comment largely agreed. “The idea was to get under Brad Parscale’s skin and in that regard it seemed to work,” @Christophurious said The edge in an email. “I think a lot of TikTok and K-pop kids knew from the start that it probably affects nothing more than a programmer’s ego. And they seem to be okay with that.
Update 5:00 p.m. ET: Added comment from @Christophurious.