Some critics of President Donald Trump have spent the previous few days wanting to lock up Trump-branded merchandise by leaving 1000s of products from his online stores in shopping carts. But as the attack has changed into a kind of resistance meme, similar to recent pranks on the president’s Tulsa rally, it’s far less clear whether the hoax actually prevented Trump’s stores from trying to sell merchandise.
Earlier this week, TikTok and Twitter users started posting videos and messages claiming these were “buying” the complete supply of stuff like Trump baseballs and “Baby Lives Matter” onesies, then leaving them in the cart indefinitely, making them unavailable to other visitors. The attacks apparently involved at least two sites: Trump’s official campaign store and his nonpolitically themed Trump gift shop.
FYI: all the Trump Baseballs can be purchased out because I have over $9000 worth of them in a shopping cart application that I’ve no intention on buying
— jocelyn (@jocelyn90028) June 26, 2020
This is a version of a genuine exploit called a “denial of inventory” attack — fundamentally, buying up huge amounts of limited-stock items (or such things as restaurant reservations and hotel rooms) but never completing the transaction. It works if a shop actually reserves an item when a user puts it in a cart, and it’s most effective if there are no limits how many items people can purchase at a time, if cart contents don’t expire after a fixed period or if the attacker is using bots to constantly refresh the fake purchases.
There’s not much evidence items were falsely shown as out of stock as a result of the reservations, though — plus some evidence demonstrates would-be store-jammers were wrong to claim victory.
One popular tweet claims, for instance, to own bought out the entire way to obtain baseballs from the non-campaign TrumpStore.com. There’s no screenshot displaying the results, but replies include shots of “sold out” errors on other items from the store, including water bottles and hats.
But The Verge replicated that error message, and it doesn’t mean the inventory is locked up. The message appears if one person fills their cart with all the available stock of an item, extends back to that, and tries to add more. (It’s simple to get the error because the stock seems low — in my own case, 13 navy/red baseballs.) But other website visitors can still put those items in another cart. The message seemingly just ensures one person can’t place just one order the store is not able to fulfill. It’s possible the store tweaked that previously 12 hours, but there’s no visible sign of a change.
Trump’s campaign site works differently. Until very recently, users could change the quantity of a cart item to a variety, and videos show people ordering thousands of items costing hundreds of thousands of dollars, proceeding to the payment page, and simply perhaps not entering a card. In theory, this may have made the campaign site more vulnerable, and the site has since removed the ability to add multiple items at a time, suggesting the webmasters may have been rattled by the looming threat.
Trump spokespeople haven’t exactly cleared the issue up. On Twitter, campaign manager Brad Parscale acknowledged a taunt from of the very first accounts that posted in regards to the attack, who’d told the campaign that “any programmer worth their salt would account for this … but not all do.” Unfortunately, his response was simply “I guess you owe me some salt,” which says little about Trump’s actual web development guidelines.
Barring a statement from Trump’s campaign, which didn’t instantly respond to a message from The Verge, there’s no proof Trump supporters were being prevented from buying items. We’ve found videos that show large orders, although not ones that show sold-out items afterwards. (While the infant onesie is currently out of stock, there’s a 21-hour time gap with no firm url to the prank order.) Shopify, which powers Trump’s campaign store, also hasn’t responded to questions about if the attack seems feasible.
In one last attempt to prove the claims, we chose to test one possible exploit that wouldn’t be fixed by removing the multiple orders option: depleting the entire inventory of just one item by sheer brute force. A little group of Verge staffers simultaneously filled carts with pairs of $70 Trump / Pence gold cuff links — something with plausibly lower demand and higher production costs than a sign or T-shirt — one click at any given time.
Together, four Verge writers temporarily reserved a total of 16,371 pairs or roughly $1.145 million in cuff links (using a glitch that allowed repeatedly clicking the “add to cart” link to quickly add multiple copies of an item), exceeding the best single item order (10,000 shirts) we saw on TikTok. This light emitting diode us to a couple possible conclusions:
- Trump’s campaign store previously “held” items in carts for individual shoppers, however it silently stopped doing this following the attacks — in which case there is no practical reason to also take away the multiple orders field.
- The store never held items in carts, therefore the attacks never posed a threat — but the campaign removed the multiple orders field as it created the impression Trump was being pranked with huge orders merely a week after being humiliated by TikTok teens employing the exact same strategy.
- The Trump campaign has a ready-to-ship stock of at least 16,372 pairs of novelty cuff links — in which particular case it’s probably prepared to withstand these attacks.
Regardless which is correct, it seems clear that the impression of putting one over on Trump’s campaign has been far more meaningful than any actual inconvenience to Trump fans. But Trump is famously a president who often worries more about perception than reality — so the fake orders may have served their purpose anyway.