January 9, 2018

Coinbase and Overstock.com just fixed a serious glitch that allowed Overstock customers to buy any item at a tiny fraction of the listed price. Potentially more punishing, the flaw let anyone paying with bitcoin reap many times the authorized bitcoin refund amount on any canceled Overstock orders.

In January 2014, Overstock.com partnered with Coinbase to let customers pay for merchandise using bitcoin, making it among the first of the largest e-commerce vendors to accept the virtual currency.

On December 19, 2017, as the price of bitcoin soared to more than $17,000 per coin, Coinbase added support for Bitcoin Cash — an offshoot (or “fork”) from bitcoin designed to address the cryptocurrency’s scalability challenges.

As a result of the change, Coinbase customers with balances of bitcoin at the time of the fork were given an equal amount of bitcoin cash stored by Coinbase. However, there is a significant price difference between the two currencies: A single bitcoin is worth almost $15,000 right now, whereas a unit of bitcoin cash is valued at around $2,400.

On Friday, Jan. 5, KrebsOnSecurity was contacted by JB Snyder, owner of North Carolina-based Bancsec, a company that gets paid to break into banks and test their security. An early adopter of bitcoin, Snyder said he was using some of his virtual currency to purchase an item at Overstock when he noticed something alarming.

During the checkout process for those paying by bitcoin, Overstock.com provides the customer a bitcoin wallet address that can be used to pay the invoice and complete the transaction. But Snyder discovered that Overstock’s site just as happily accepted bitcoin cash as payment, even though bitcoin cash is currently worth only about 15 percent of the value of bitcoin.

To confirm and replicate Snyder’s experience firsthand, KrebsOnSecurity purchased a set of three outdoor solar lamps from Overstock for a grand total of $78.27.

The solar lights I purchased from Overstock.com to test Snyder’s finding. They cost $78.27 in bitcoin, but because I was able to pay for them in bitcoin cash I only paid $12.02.

After indicating I wished to pay for the lamps in bitcoin, the site produced a payment invoice instructing me to send exactly 0.00475574 bitcoins to a specific address.

The payment invoice I received from Overstock.com.

Logging into Coinbase, I took the bitcoin address and pasted that into the “pay to:” field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin. The site responded that the payment was complete. Within a few seconds I received an email from Overstock congratulating me on my purchase and stating that the items would be shipped shortly.

I had just made a $78 purchase by sending approximately USD $12 worth of bitcoin cash. Crypto-currency alchemy at last!

But that wasn’t the worst part. I didn’t really want the solar lights, but also I had no interest in ripping off Overstock. So I cancelled the order. To my surprise, the system refunded my purchase in bitcoin, not bitcoin cash!

Consider the implications here: A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time. Let’s say I purchased one of the more expensive items for sale on Overstock, such as this $100,000, 3-carat platinum diamond ring. I then pay for it in Bitcoin cash, using an amount equivalent to approximately 1 bitcoin ($~15,000).

Then I simply cancel my order, and Overstock/Coinbase sends me almost $100,000 in bitcoin, netting me a tidy $85,000 profit. Rinse, wash, repeat.

Reached for comment, Overstock.com said the company changed no code in its site and that a fix implemented by Coinbase resolved the issue.

“We were made aware of an issue affecting cryptocurrency transactions and refunds by an independent researcher. After working with the researcher to confirm the finding, that method of payment was disabled while we worked with our cryptocurrency integration partner, Coinbase, to ensure they resolved the issue. We have since confirmed that the issue described in the finding has been resolved, and the cryptocurrency payment option has been re-enabled.”

Coinbase said “the issue was caused by the merchant partner improperly using the return values in our merchant integration API. No other Coinbase customer had this problem.”Coinbase told me the bug only existed for approximately three weeks.”

“After being made aware of an issue in our joint refund processing code on SaturdayCoinbase and Overstock worked together to deploy a fix within hours,” The Coinbase statement continued. “While a patch was being developed and tested, orders were proactively disabled to protect customers. To our knowledge, a very small number of transactions were impacted by this issue. Coinbase actively works with merchant partners to identify and solve issues like this in an ongoing, collaborative manner and since being made aware of this have ensured that no other partners are affected.”

Bancsec’s Snyder and I both checked for the presence of this glitch at multiple other merchants that work directly with Coinbase in their checkout process, but we found no other examples of this flaw.

The snafu comes as many businesses that have long accepted bitcoin are now distancing themselves from the currency thanks to the recent volatility in bitcoin prices and associated fees.

Earlier this week, it emerged that Microsoft had ceased accepting payments in Bitcoin, citing volatility concerns. In December, online game giant Steam said it was dropping support for bitcoin payments for the same reason.

And, as KrebsOnSecurity noted last month, even cybercriminals who run online stores that sell stolen identities and credit cards are urging their customers to transact in something other than bitcoin.

Interestingly, bitcoin is thought to have been behind a huge jump in Overstock’s stock price in 2017. In December, Overstock CEO Patrick Byrne reportedly stoked the cryptocurrency fires when he said that he might want to sell Overstock’s e-tailing operations and pour the extra cash into accelerating his blockchain-based business ideas instead.

In case anyone is wondering what I did with the “profit” I made from this scheme, I offered to send it back to Overstock, but they told me to keep it. Instead, I donated it to archive.org, a site that has come in handy for many stories published here.

Update, 3:15 p.m. ET: A previous version of this story stated that neither Coinbase nor Overstock would say which of the two was responsible for this issue. The modified story above resolves that ambiguity.


56 thoughts on “Website Glitch Let Me Overstock My Coinbase

  1. Nobby Nobbs

    Good article, and nice job supporting archive.org, Brian!
    Thanks!

  2. Chris Nielsen

    Best story so far this year! Now we all know to check out new adopters of Bitcoin to see if the same thing can be replicated with them.

    I mean, don’t we have to use every advantage possible to stay ahead for when this ePonzi scheme fails?

    “Bitcoin” is the perfect name for it, don’t you think???

    1. Brent McAlister

      This is at least two separate Krebs articles in the last couple of weeks on the topic of cryptocurrency now where your comment has been a clear standout as the most facepalm worthy.

      I suggest you do some actual research on Bitcoin, or cryptocurrneices as a whole before you embarrass yourself with these uninformed/uneducated comments any further.

    2. Scott Walker

      The blockchain is here to stay, and will affect your life in ways you can’t even fathom, currently. Whether or not Bitcoin will be the dominant currency is anyone’s guess. I suspect not… As there are far superior technologies, which are directly completing against each other. There will be some winners and losers, but Bitcoin is currently the gold standard of the Crypto world…

      1. meh

        I’ve heard that hundreds of times and so far it always falls flat. Besides money laundering and crime what is the real advantage of a currency backed by nothing with widely varying fees? No major country in the world is going to stand by while billions of tainted dollars flow unseen, untaxed, and unregulated.

        1. Mitch

          Sure sounds like the current currencies being used around the world.. plenty of dirty green bills are traded without being taxed. Have you not considered that your current currency is digital? Access card = login, pincode = the least secure 4 digit password. You’re logging in to the bank’s database. Only the bank has a copy of that database. If they lose their copy, there goes the proof of your finances. Blockchain provides everyone with an exact copy of the database. Sure you can modify yours, but if those changes can’t be verified by everyone else’s copy, then you’re not validated. It’s secure, gives individual control and removes the grasp the bank’s have of our finances.

          1. meh

            You say that like it matters. To the average person not up to anything criminal it doesn’t. I would prefer in fact for the drug dealers and high dollar money launderers to get caught and prosecuted by the IRS and FBI. I don’t get any benefit from crooks using cryptolockers or selling drugs in my community, and at the end of the day the entire premise of crypto currencies was designed for problems 95% of law-abiding people will never run into. The inevitable result is what we see today, governments not recognizing these as legitimate ways to process transactions and rightfully seeing them as a smoke signal for criminal activity.

        2. Antonio

          Right, bro. I can’t understand why USD is so widely accepted too!

  3. vb

    I wonder how much longer Overstock will even be accepting Bitcoin. Like the others that you mentioned, most retailers cannot manage the volatility.

    Bitcoin is hardly a currency anymore. It’s really only a speculative commodity. Long-time supporters of Bitcoin, as I am, are saddened by this. It’s supposed to be a useful currency. There is no other cryptocurrency that has/had as much retailer support as Bitcoin. Until cryptocurrencies stop being treated like “play money” I don’t see any future for more retailer adoption.

    1. msin

      It’s obvious you don’t understand how retailers handle crypto payments. When Overstock accepts a payment via Coinbase or Bitpay, it’s immediately secured in $ at the current conversion rate. They don’t just hold on to Bitcoin and cash it in at the end of the month, it’s instant.

      1. Jeff

        Generally this is true, but Overstock is a bit different in that they announced Q3 last year they are retaining 50% of all BTC to keep on the balance sheet. Theyre the 1st public corp I know of to hodl BTC

    2. Reader

      Crypto currencies will always be “play money.”
      You can’t bury it.
      You can’t use it when the power goes out.
      It would cease to have value if no one wanted to play with it, because it’s neither rare, unique, or intrinsically valuable.
      Its extremely dirty to produce, as there is an environmental and economic cost to running computers to “mine.” And that environmental cost is rising.
      You can’t use it as a practical way to buy real things in real stores in physical reality. Good luck trying that during the next post-natural disaster situation.

      1. Alex Esp

        Is it truly any different than the current money system? I go months on end without touching a paper bill. Most people’s assets are direct deposited into a bank and they use their plastic to pay for everything. In that case, what happens when the power goes out?? Can I go to an ATM? Will the debit/credit card readers work? No. Everything is play money now.

      2. Planethill

        Sure you can. You can bury the private keys printed on paper or etched on metal. You can transact with no power the same way you do with no cash during a blackout. You agree to even things up when the power comes back on. Unless you believe the power is going to go out forever it really isn’t an issue any more than your bank balance resting in a computer somewhere. Besides, Bitcoin isn’t replacing fiat or gold, its just another way to transact.

        As for your comment that “It would cease to have value if no one wanted to play with it”, that is true of ANY currency. The US Dollar has value because every believes it has value. Read up on how Brazil launched their new currency and stopped the crazy inflation of the old Real. Nothing changed, except public perception. “Oh THIS dollar is good! The old dollar is bad.” 😀

  4. Filipe

    Great article.
    These situations, when not discovered in time can be really a big headache.

    1. Francis Ford Crapola

      The question is who in their right mind selling stuff on the internet doesn’t have the common sense to check and see if the currency they’re calculating is accurate?

      If they accept anything other than 1 currency and they’re not paying attention to that, especially something as large as overstock, that’s a massive failure of management. Not unfixable, but breathtaking.

      It portends more.

  5. Rodney Thayer

    shocking that you found the coinbase site sufficiently functional to do this. many of us have had no joy interacting with them.

  6. Bitcoin_rules

    Frankly I don’t see a connection between Bitcoin’s price volatility and the current rate of adoption. It’s really no more or less volatile or speculative as Amazon stock used to be, or still is, for many value investors. Brian, maybe Amazon is too volatile for you too? Better coding in the Bitcoin ecosystem can fix these short-term bugs that are simply delaying all merchants’ inevitable adoption. Bitcoin IS the future of money; Coinbase just isn’t getting ready for it fast enough.

    1. Greg

      Except people don’t use Amazon stock for retail purchases because Amazon stock isn’t a currency. Amazon stock is a commodity. That’s why volatility is accepted with it. Comparing the two only undermines your argument that Bitcoin is a currency.

      1. Gregory

        don’t really see the word currency in his “argument” but if you think money and currency are the same thing boiiiiiiiiiiii

        1. H

          The “currency” part of the argument is implicit. Brian says “many businesses that have long accepted bitcoin [as a medium of exchange] are now distancing themselves from the currency thanks to the recent volatility.” Bitcoin_Rules argues there is not a connection between the volatility and the rate of adoption [as a medium of exchange].

          What I think Greg is saying is that generally a currency should be a 1) medium of exchange and 2) a store of value.

          That value is obviously not a constant, but we expect still our currency to be more dependable (predictable?). Something that is not doesn’t qualify as a worthy currency to Greg. I see where he is coming from.

  7. wow

    wow,even overstock ? need to be careful you might loose everywhere.
    thats grazy cant trust nothing
    ithink crypto currency and btc should be safe thing, coz even criminals using this,so thiefes steal now from other thiefes too??
    no honor amongs thiefes

  8. Wm

    I had to laugh when I read ‘To confirm and replicate Snyder’s experience firsthand, KrebsOnSecurity’. Nice job of distancing yourself from the caper.

  9. Niko

    Great research you did on this article! And thumbs up for supporting archive.org – they do great things for the internet and are definitely worth every support.

    But I think you miss one point here: payment in ecommerce is a complicated issue, and things that can go wrong will go wrong eventually. The more complicated it is, the more likely it will happen. Developers make mistakes. I have implemented online payment methods into online shops myself and I know from experience, both in my own work and from other developers. I remember when MasterCard secure code was introduced a few years ago and online shops started adapting it: I made a purchase from one of the top ten online retailers for electronics in Germany and when it came to entering the secure code, I realized I didn’t know it – so I hit cancel. What happend was the purchase was completed and marked as paid. The item was sent to me, even though I never paid for it.

    If you are to blame anyone for this incident you described, don’t blame Coinbase of Overstock, blame Bitcoin. Bitcoin may be groundbreaking as an idea, but the current implementation has been proven completely unfit as an everyday payment method. It’s not only slower and has higher transaction costs than any other traditional online payment method, but it is also too complicated for non tech people to wrap their mind around it, let alone for tech people to implement it as a secure and reliable payment method yet.

    There will most definitely be a crypto currency (or multiple currencies) that will replace PayPal and credit cards for online payments, but it has to be different to Bitcoin in a way that is yet to be found.

  10. Jay

    I’m sorry but the comments here are pretty shallow and uninformed about “Bitcoin” and the large cryptocurrency space as a whole.

    Bitcoin is one of the few that actually has real engineering and coding talent behind it. Bcash is a patch job run by a criminal. Support of that trash was the first mistake.

    Solution are coming to “Hugh transaction fees” quicker then people think. And they are real scalable solutions. The volatility is natural and healthy at this stage. And it’s surely no worse then national currency that is artificially propped up and will inevitably crash, Luke Greece.

    In pretty much every country it really doesn’t matter anyway. The government decides what is and isn’t currency. The laws are clear about how they wish to treat it, at least right now.

    It’s also not really that much more confusing then debit/credit cards and other electronic payment was to people before they were forced to learn. The major difference being your responsible for securing your money or pay someone to do it for you.

    The real test will be when government inevitably pushes for their own controlled cryptocurrency. Will people refuse and fight back in the centralization of power and lack of freedom that entails or roll iver thinking

    1. Jay

      Stupid mobile…

      Thinking they’ve won because crypto = win, which would miss the point entirely.

    2. Niko

      Most people learned how to use debit cards for online payments simply by intuition. Good luck trying to explain the problem of unspent outputs with a paper wallet to 10 random people you meet on the street! (https://bitzuma.com/posts/five-ways-to-lose-money-with-bitcoin-change-addresses/)

      If you think that Bitcoin (or any crypto currency) can replace credit cards if you just solve the scalability issues, it is wishful thinking.

      The idea behind Bitcoin is great, but the revolution has just begun. History tells us that is rarely the first (nor the „best“ implemention) of a new technology that makes the breakthrough in the wide market and gets accepted by people. And really: people couldn’t care less if it’s called Bitcoin or Bitcoin cash or something else.

    3. random325235

      You don’t know $hit dude.

      The guy who runs Bitcoin cash is a criminal?LOL says who? an unknown stranger that can’t even correctly express himself and blames his mobile? Just that makes your whole comment laughable at best if not SUSPICIOUS to your motives (troll?personal gain?invested in bitcoin core) ..

      You continue with only wishful thinking, or simply utter dreams. Already another one replied to you on that too..

      And you go on after that to show your complete ignorance of what you’re talking about with the “it’s surely no worse then national currency that is artificially propped up and will inevitably crash, Luke Greece.” LOL?!?! Greece’s problem was its debt you fool, its currency is Euro like most of the rest of E.U. .. You don’t even know what you’re talking about… Anything..

      And since we’re at it, get over your dream of becoming a millionaire by inflating Bitcoin because the downfall has only started.

      Crypto will remain but bitcoin is doomed already. Bitcoin Cash, Ethereum , Monero and countless others have already surpassed it!

  11. Notme

    Nice article on a very timely issue. Everyone has interest in the bitcoin world right now. Thanks for adding this angle.

    1. JCitizen

      Well said!

      Brian keeps on proving to be one of the best investigative journalists in the world – IMO!!

  12. Joaquin Tall

    “Rinse, wash, repeat.”

    Couldn’t you also launder drug money in a similar way and totally take Overstock to “the cleaners”?

    1. SeymourB

      Well, they’re spending bitcoin, which is normally acquired by selling drugs or other illegal items.

      1. Benderisadog

        Lol lol at the person who said Bitcoin is typically just acquired by people who are selling drugs. Clearly doesn’t understand crypto. Bitcoin is an investment millions of people, companies, investors, and even banks are staked in.

        This is a great article, though! Big whoops

  13. JeffA

    Funny thing is 3 of those LED lights are only worth a total of $12 in the first place. I picked up one of them a few months ago for only about $8.

  14. Ric Jem

    The donation to archive.org part of the story seems unbelievable, as it is unnecessary and irrelevant to the subject matter here.

    1. Sven

      You comment was unnecessary and irrelevant. Archive.org is a great foundation and I’m happy Brian donated to them.

    2. BrianKrebs Post author

      Unbelievable? Feel free to ask archive.org/Brewster Kahle if they got a BTC donation at 11:37 am yesterday with the attached note, “Thank you for your indispensable service!”

      Also, it’s included because I figured one or more readers would legitimately question or ask what I did with difference between what I spent and what they refunded me.

      1. Wm

        It doesn’t make any difference what people think of what you did with the difference. It was given to you by Overstockand and you had the right to spend it on whatever you wanted to.

        1. Silemess

          @Wm,

          In this case, it goes back to the interests of Full Disclosure. By telling Brian to “keep it”, it risks seeming to be a bribe (albeit a ridiculously small sum).

          If someone finds an error in the article, or believes that the coverage is unfairly kind, they might attribute it to the extra funds.

          This way, it’s explained what happened to the excess funds and that it’s not something that has financially enriched Brian.

          He’s careful to make these disclosures, such as when noting that he is (was?) an unpaid advisor to Hold Security, or when SourceBook was breached while they were selling his book.

      2. H

        Brian, I appreciated you letting us know what you did with the money. It tells us a little more about you and what you care about. Also, it sent me to Archive’s blog where I found some cool reads.

        To spite these fellas, I donated an additional $10–ripple effect, baby!

  15. Jim

    Good article, great donation.
    I can see how the problem occurred. Probably a overflow of field size in a data flow. The part I liked was the reaction times of the companies involved. Kudos to them. And no bs about them, make the users happy, good job.
    Too much bs in the comments, about currencies. Monies are a construct, so we don’t have to have a fully functional farm, next to whatever other supplies needed to produce, you can buy or trade for it. Trade a labor.

  16. dlroWolleH

    My understanding is that virtual currency was created for/by criminal organizations as a way to bypass currency restrictions. What supports this currency (gold, etc.)? As it is virtual, currency support is provided by past and future computer cycles. Why would anyone use these?

    btw – check fb

    1. JCitizen

      I look at it more like it is a way for oppressed people in places like North Korea to find a way to pay for something that the government might not approve of, and that can’t be traced back to you. So it give the oppressed people of the world a chance at some freedom. The fact that criminals may take advantage of it, is like complaining about criminals abusing their other rights, and then blaming it on the Bill of Rights.

  17. Jeff Martin

    ” the company changed no code in its site and that a fix implemented by Coinbase resolved the issue.” This made me wince. They didn’t learn anything from this bug, which I guess means no one else exploited it. Coinbase should of course fix their error, but Overstock should also be verifying that the transactions are correct. I suppose if they handled cash, they wouldn’t double count that?

  18. devgru1

    100% coinbase is @ fault. They will pay out of pocket for damages. which also means higher and more fees for coinbase users GG.

  19. Kentzo

    It’s interesting that overstock claimed no change, but coinbase said it’s there problem. I guess one of coinbase’s API returns something like {“currency”: “btc”, value:”0.001”, address: “…”}. Perhaps they fixed it by disabling BCH reports for Overstock.

    Could someone speculate on how this glitch might have happened?

  20. Brian S

    Another problem with Overstock,com, same product on Amazon is $64.99. For a package of four of them. 🙂

  21. cryptocrat

    So, is it Coinbase who’s at fault??? Seems like Coinbase is amazingly incompetent . Every day it’s some new screw-up.

  22. Ninja

    You could also open anything with blockchain attached at the name. Like “Shady Blockchain Business”. Easy money!

Comments are closed.