Price manipulation via fraction values (Parameter Tampering)

A security researcher identified an issue in our member application that showed how a user's cart would accept fractional quantities of any item; irrespective of whether or not the item was capable of being in a 'fractional' state (e.g. fractional quantities were being accepted for a half pound of ground beef, but were also being accepted for an iPad). The researcher demonstrated that when a users added an item to their cart, the request could be intercepted and if the `qty` parameter was updated to a fractional amount, the fractional price would be reflected in the user's cart (e.g. `0.1 iPads` would reflect as such and price would be 1/10th the normal cost). Shipt has compensating controls protecting against a bad actor leveraging this to successfully obtain large discounts on high-priced items, however, this issue was resolved by our engineering team as a low-risk bug and the researcher confirmed resolution.