Online retailer Overstock.com, which has a wide selection of goods from furniture to luxury watches, suffered from a nasty technical flaw that allowed customers to pay with both Bitcoin and Bitcoin Cash – despite the fact that the latter currency was valued at a significantly lower price.
The bug essentially made it possible to successfully pay the required amount of BTC in BCH, but without adjusting the price according to the value of the latter. This meant that you could get any item at a 70-plus-percent “discount.” At the time of writing, Bitcoin and Bitcoin Cash stand at $14,524 and $2,675, respectively.
The worst part was that, once users had requested a refund, the retailer would proceed to pay them back in the original Bitcoin value – a glitch that could have easily incurred millions of losses.
The technical shortcoming was first reported by KrebsOnSecurity, where the flaw has been documented in more detail. Reporter Brian Krebs notes he discovered the issue following a notice from a concerned Overstock customer.
According to the post, all it took to pull off this “trick” was paying for your item of choice with BCH instead of BTC. As long as the requested BTC fee was the same, the payment would go through as successful.
“Logging into Coinbase, I took the [B]itcoin address and pasted that into the “pay to:” field, and then told Coinbase to send 0.00475574 in [B]itcoin [C]ash instead of [B]itcoin,” Krebs wrote. “The site responded that the payment was complete. Within a few seconds I received an email from Overstock congratulating me on my purchase and stating that the items would be shipped shortly.”
“I had just made a $78 purchase by sending approximately USD $12 worth of [B]itcoin [C]ash,” Krebs continued.
As Krebs himself points out, any customer practically had the the ability to exploit this bug to make “ridiculous sums” of Bitcoin in a very short window of time.
“Let’s say I purchased one of the more expensive items for sale on Overstock, such as this $100,000, 3-carat platinum diamond ring. I then pay for it in Bitcoin cash, using an amount equivalent to approximately 1 bitcoin ($~15,000),” Krebs said. “Then I simply cancel my order, and Overstock/Coinbase sends me almost $100,000 in bitcoin, netting me a tidy $85,000 profit. Rinse, wash, repeat.”
For background, Overstock partnered with cryptocurrency exchange desk Coinbase back in 2014 so the retailer could offer its customers the option to pay in Bitcoin and other cryptocurrencies.
According to Overstock, the issue resulted from a faulty payment integration provided by Coinbase. Coinbase has since shifted the blame back to Overstock, saying that “the merchant partner improperly using the return values in our merchant integration API.”
The bug purportedly existed for “approximately three weeks,” according to a statement from Coinbase. Fortunately for Overstock, it has since been fixed.
Published January 10, 2018 — 16:28 UTC