Online retail giant Overstock.com has reportedly experienced a cryptocurrency payments bug that could have allowed customers to mint money simply via repeated cancellation of orders.
Last week, North Carolina-based bank security firm Bancsec informed journalist Brian Krebs that Overstock.com had erroneously accepted bitcoin cash instead of bitcoin as payment for a product.
To confirm the issue, Krebs ordered a $78 motion sensor light on Overstock and opted to make payment by bitcoin.
“Logging into Coinbase, I took the bitcoin address and pasted that into the ‘pay to:’ field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin,” Krebs writes on his website. Because of the glitch, the security specialist was able to make a $78 purchase by sending approximately $12-worth of bitcoin cash.
As experienced by Bancsec, Overstock’s website approved the transaction. What was potentially more damaging to the firm is the fact that, upon cancellation of the order, Overstock processed the refund in bitcoin.
Currently, a single bitcoin is priced at around $14,000, while its offshoot bitcoin cash is trading at $2,400. So, a malicious customer could have easily made large amounts of money simply by making repeated cancellations of orders of high-priced items at Overstock.
Krebs writes: “Reached for comment, Overstock.com said the company changed no code in its site and that a fix implemented by [payments partner] Coinbase resolved the issue.”
Coinbase reportedly said that the issue was caused by “the merchant partner improperly using the return values in our merchant integration API,” and noted that no other Coinbase customer had reported the problem. The error had existed for about three weeks, it added.
Krebs said he and Bancsec had looked for the same glitch at other merchants that “work directly with Coinbase in their checkout process,” but they found “no other examples of this flaw.”
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Coinbase.
Overstock image via CoinDesk archives