Overstock cryptocurrency flaw muddles bitcoin payments and refunds
The payments bug, accepting bitcoin and Bitcoin Cash as equivalent payments, was active for three weeks.
American online retailer Overstock recently suffered a cryptocurrency payments bug that severely impacted the cost of purchases and allowed some customers to claim refunds at a significantly higher rate of return.
In a blog post this week on KrebsOnSecurity, journalist Brian Krebs said he was contacted by computer security firm Bancsec’s chief executive JB Snyder. The cybersecurity expert told Krebs that last week, when attempting to purchase an item on Overstock using digital currency, he realized the site was accepting both bitcoin and Bitcoin Cash as equivalent payments, despite the vast differences in their individual values.
For example, bitcoin (BTC) is currently worth around $14,500 per unit, while Bitcoin Cash (BCH) is valued at approximately $2,600, less than one fifth (18%) of the price. See the chart below for live valuations.
Confirming the issue, KrebsOnSecurity purchased three outdoor solar lamps from Overstock at US$78.27. Krebs indicated he wished to make the purchase using bitcoin and Overstock sent an invoice for 0.00475574 bitcoins. Using digital currency exchange Coinbase, Krebs paid the total in bitcoin cash, rather than bitcoin.
Overstock approved the payment and sent Krebs an email confirming that the items would be shipped shortly.
“I had just made a US$78 purchase by sending approximately US$12 worth of bitcoin cash,” Krebs said.
However, when Krebs attempted to return the lamps for a refund, Overstock sent him US$78.27 (the original purchase price) worth of bitcoins, instead of the US$12 in bitcoin cash he actually used for the transaction.
When contacted for comment, Overstock informed KrebsOnSecurity that “a fix implemented by Coinbase” had resolved the issue and that the internet retailer hadn’t changed any actual code on its shopping website. Cryptocurrency payments on Overstock’s site were temporarily disabled but have since been restored.
Coinbase said the issue was brought about by its “merchant partner improperly using the return values in our merchant integration API”. The digital currency exchange website said no other customers had this problem.
“To our knowledge, a very small number of transactions were impacted by this issue,” Coinbase said.
Coinbase told KrebsOnSecurity that the payments flaw was active on Overstock for approximately three weeks.
A number of big businesses have debated the use of cryptocurrencies as a result of their price volatility.
Microsoft briefly ceased accepting bitcoin as a payment method earlier this week but has since restored this option. Entertainment and gaming platform Steam announced in December last year that it would no longer support bitcoin payments, given the cryptocurrency’s unreliable value and inherently high processing fees.
Additionally, several prepaid cryptocurrency debit card providers have had their services suspended by Visa.
Cryptocurrency exchange Binance lifted its temporary ban on new user accounts this week after experiencing a recent surge in popularity. However, only a limited number of new registrations will be permitted each day.