Some critics of President Donald Trump have spent the last few days trying to lock up Trump-branded merchandise by leaving thousands of products from his online stores in shopping carts. But while the attack has become a kind of resistance meme, reminiscent of recent pranks on the president’s Tulsa rally, it’s far less clear whether the hoax actually prevented Trump’s stores from selling merchandise.
Earlier this week, TikTok and Twitter users started posting videos and messages claiming they were “buying” the entire supply of items like Trump baseballs and “Baby Lives Matter” onesies, then leaving them in the cart indefinitely, making them unavailable to other visitors. The attacks apparently involved at least two sites: Trump’s official campaign store and his nonpolitically themed Trump gift shop.
FYI: all the Trump Baseballs are sold out because I have over $9000 worth of them in a shopping cart that I have no intention on buying
— jocelyn (@jocelyn90028) June 26, 2020
This is a version of a real exploit called a “denial of inventory” attack — basically, buying up huge amounts of limited-stock items (or things like restaurant reservations and hotel rooms) but never completing the transaction. It works if a shop actually reserves an item when a user puts it in a cart, and it’s most effective if there are no limits on how many items people can buy at a time, if cart contents don’t expire after a fixed period or if the attacker is using bots to constantly refresh the fake purchases.
There’s not much evidence items were falsely shown as sold out as a result of the reservations, though — and some evidence shows that would-be store-jammers were wrong to claim victory.
One popular tweet claims, for instance, to have bought out the entire supply of baseballs from the non-campaign TrumpStore.com. There’s no screenshot displaying the results, but replies include shots of “sold out” errors on other items from the store, including water bottles and hats.
But The Verge replicated that error message, and it doesn’t mean the inventory is locked up. The message appears if one person fills their cart with all the available stock of an item, goes back to the item, and tries to add more. (It’s easy to get the error because the stock seems low — in my case, 13 navy/red baseballs.) But other site visitors can still put the items in a different cart. The message seemingly just makes sure one person can’t place a single order the store is unable to fulfill. It’s possible the store tweaked that in the past 12 hours, but there’s no visible sign of a change.
Trump’s campaign site works differently. Until very recently, users could change the quantity of a cart item to any number, and videos show people ordering tens of thousands of items costing hundreds of thousands of dollars, proceeding to the payment page, and simply not entering a card. In theory, this could have made the campaign site more vulnerable, and the site has since removed the ability to add multiple items at a time, suggesting the webmasters may have been rattled by the looming threat.
Trump spokespeople haven’t exactly cleared the issue up. On Twitter, campaign manager Brad Parscale acknowledged a taunt from one of the first accounts that posted about the attack, who’d told the campaign that “any programmer worth their salt would account for this … but not all do.” Unfortunately, his response was simply “I guess you owe me some salt,” which says little about Trump’s actual web development best practices.
Barring a statement from Trump’s campaign, which didn’t immediately respond to an email from The Verge, there’s no proof Trump supporters were being prevented from buying items. We’ve found videos that show large orders, but not ones that show sold-out items afterward. (While the baby onesie is currently sold out, there’s a 21-hour time gap and no firm link to the prank order.) Shopify, which powers Trump’s campaign store, also hasn’t responded to questions about whether the attack seems feasible.
In a final attempt to prove the claims, we decided to test one possible exploit that wouldn’t be fixed by removing the multiple orders option: depleting the entire inventory of a single item by sheer brute force. A small group of Verge staffers simultaneously filled carts with pairs of $70 Trump / Pence gold cuff links — an item with plausibly lower demand and higher production costs than a sign or T-shirt — one click at a time.
Together, four Verge writers temporarily reserved a total of 16,371 pairs or roughly $1.145 million in cuff links (using a glitch that allowed repeatedly clicking the “add to cart” link to quickly add multiple copies of an item), exceeding the highest single item order (10,000 shirts) we saw on TikTok. This led us to a few possible conclusions:
- Trump’s campaign store previously “held” items in carts for individual shoppers, but it silently stopped doing this after the attacks — in which case there was no practical reason to also remove the multiple orders field.
- The store never held items in carts, so the attacks never posed a threat — but the campaign removed the multiple orders field because it created the impression Trump was being pranked with huge orders just a week after being humiliated by TikTok teens employing the exact same strategy.
- The Trump campaign has a ready-to-ship stock of at least 16,372 pairs of novelty cuff links — in which case it’s probably prepared to withstand these attacks.
Regardless of which is correct, it seems clear that the impression of putting one over on Trump’s campaign has been far more meaningful than any actual inconvenience to Trump fans. But Trump is famously a president who often worries more about perception than reality — so the fake orders might have served their purpose anyway.
The Twitter user whose message sparked Parscale’s comment largely concurred. “The idea was to get under Brad Parscale’s skin and in that respect it seemed to work,” @Christophurious told The Verge in an email. “I think a lot of the TikTok and K-pop kids knew from the start that it likely wasn’t affecting anything more than some programmer’s ego. And they seem to be fine with that.”
Update 5:00PM ET: Added comment from @Christophurious.