
Website Glitch Let Me Overstock My Coinbase - wglb
https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
======
osteele
Many U.S. retail establishments near* the Canadian border treat Canadian
quarters as equivalent to U.S. quarters—accepting them at a 25¢ value,
including them as change if they got into the till.

The US:CAD rate is only 4:5, not the 1:6 BTH:BCH ratio at the time of the
article. Perhaps more importantly, one can only use Canadian coins this way in
person, and therefore probably at very low volume. None the less, it’s
interesting to see the parallel.

* And not that near, either. I’ve seen this in Massachusetts. I never saw this growing up in North Carolina, or when I moved to California, though.

~~~
kolbe
I'd like to think of how this arbitrage might go down.

You try to buy an iPad in the US using 2000 Canadian quarters, thinking you
will return it later to get 500 USD. Instead, they just tell you to 'fuck off'
when you try to make the initial purchase.

~~~
dawnerd
I think if you try to buy anything with that many quarters they’d push you
away.

------
ditn
One thing that'll help prevent this sort of confusion is the upcoming change
in Bitcoin Cash address formats
([https://gist.github.com/DesWurstes/bba4222c8b6253b940096fced...](https://gist.github.com/DesWurstes/bba4222c8b6253b940096fcede97e17a)).
Assuming clients check that the BTC addresses are valid, they'll reject the
new BECH32 BCH format.

------
gtirloni
Does anyone with knowledge of e-retail industry and BTC acceptance know how do
business deal with the wild fluctuations in the BTC price?

~~~
friedButter
Someone should open a company which provides tokens in exchange for depositing
BTC with them. People can trade these tokens which are notional
representations of the BTC holdings in an instantaneous manner. Then when
someone actually wants the BTC, they redeem the tokens with the company and
the BTC is transferred to their wallet... alternatively the company itself
could act as an exchange and always send currency instead of tokens to the
person receiving a payment.

Since all the small transactions are happening via these tokens, the cost of
Bitcoin transactions would be a much smaller issue..

~~~
che_shirecat
what would be the point of this? why not just use mainstream payment methods
and then when someone actually wants BTC, purchase it from an exchange for
fiat? The whole point of cryptocurrency is that its decentralized, creating a
derivative on top of it (for payments??) issued by a centralized company
subject to counterparty risk kinda ruins the purported advantages of Bitcoin
don't you think?

~~~
friedButter
As long as this system is run online,it would be free of regulations,so the
govt would not be able to impose it's will on your assets...

~~~
che_shirecat
Until this only-online "exchange" is "hacked" and suddenly you can't claim any
BTC with their tokens anymore. Did you read the "counter-party risk" part of
my comment?

~~~
friedButter
My bad, missed that.

Yes, that risk is increased quite a bit, but I thought the main selling point
of Bitcoin is that govt can't control your spending, which would stay

------
nathan_f77
I would be really interested to know how much a black-hat hacker could have
stolen.

I found this on the Overstock Wikipedia page [1]:

> In the first 22 hours, they received over 800 orders worth US $126,000 in
> bitcoin. This represents a 4.33% increase in sales from their normal income
> of $3 million per day. ... In mid-2014 Overstock.com announced that bitcoin
> sales were averaging $300,000 per month and that the company expected
> bitcoin sales to add 4 cents to the company's 2014 earnings per share.

I can't find any recent information, but it might have slowed down since
Bitcoin transactions are so expensive now. Overstock is also holding 50% of
their Bitcoin revenue as an investment, but I presume that's in cold storage.
If they were doing $10,000 USD per day in 2014, then I would guess they might
be doing around $100,000 in 2018.

So the refunds are probably coming out of some addresses that hold around
$100,000 to $500,000 USD. Their Coinbase integration might have a daily buy
limit of around $1M, or maybe even no limit. So a hacker could have stolen 6
or 7 figures, but probably no more than that.

You could write a script to automate all of the orders and refunds. You could
use Tor, or you could use Bitcoin to rent VMs and IP addresses, then connect
to your VMs via Tor. I don't know if Overstock has CAPTCHAs, but that's not a
big deal if you're making 4-5 figures per CAPTCHA. And finally, you just trade
the stolen Bitcoin for Monero, then back to Bitcoin. The only thing you have
to worry about is a guilty conscience.

It's unclear if you could only use pre-fork transactions, or if you could
spend the Bitcoin Cash from new blocks. If it's the latter, then you could
just buy Bitcoin Cash using your refunded Bitcoin, and create/cancel orders in
an infinite loop until you emptied their account.

I find it very interesting that Bancsec specializes in bank security. It's
probably a bit harder for JB Snyder to get away with something like this than
your average software engineer, since the FBI and IRS are probably keeping an
eye on him. He's also the founder of a very successful security company, so 6
or 7 figures probably isn't worth the risk. (And of course, he's probably a
model citizen and a saint.)

Anyway, it's not every day that you come across a virtual duffel bag with 6 or
7 figures of anonymous cash. I hope Coinbase or Overstock paid a bug bounty.

~~~
sillysaurus3
The answer you're looking for is "Yeah, as much as people like to cry moral
decay, honor is still a thing."

You're right, there was no advantage to reporting the vuln. Most people would
have jumped on that vuln like <edgy metaphor>.

But "fuck you, got mine" mentality won't get us to Mars. And as stupid as it
sounds, having a story to tell is at least partly as satisfying as doing the
actual heist. Zero risk, and you get to brag how smart you were. People are
also much more likely to trust you in the future (as opposed to you being an
unknown quantity).

Heists like that also punish the ecosystem. If Overstock lost $1m, it would
forever show that moving to crypto is fundamentally a terrible idea. It would
destabilize the basis of wealth you sought to acquire.

But... Yeah, passing up a $1m payday would not be easy.

~~~
nathan_f77
This would be pretty mild hack compared to all the other cryptocurrency hacks
that have happened so far. There's the $30M Parity hack, $94M stolen from
Bitfinex, $473M from Mt Gox, $5.1M from Bitstamp, $50M from DAO, $7M from
CoinDash, $8M from Veritaseum, and $500k from Enigma. I'm probably missing a
few big ones, and countless small ones. But a $1M Overstock hack would barely
make the news, and would probably be covered by insurance.

It's fun to think about all the people behind these hacks. JB Snyder could
have been one of them, and we'd never know. A lot of them are probably just
regular software engineers and security experts who stumbled onto these
vulnerabilities.

I think it's true that the "fuck you, got mine" mentality won't get us to
Mars, but that's the motivation behind cryptocurrencies. We can't trust
billions of strangers, but we can trust math and physics.

Except, we already have systems that allow us to trust billions of strangers
(governments and laws). Governments and banks could have reversed all of these
transactions. The FBI might have tracked down the hackers, and a judge might
have sent them to prison. I'm starting to think that we don't really need
cryptocurrencies, and the current system is actually pretty good.

------
FabHK
I'm wondering who lost in this scenario, Overstock or Coinbase? The author
offered to send it back to Overstock, and Coinbase presumably has a few other
merchants, so presumably Overstock.

------
esseti
it reminds me a bit of this
[https://www.youtube.com/watch?v=SIMF8bp5-qg](https://www.youtube.com/watch?v=SIMF8bp5-qg)

------
oceanghost
This isn't Overstocks first rodeo.

Back when Microsoft was literally paying people to use Bing, bing had a
promotion such that certain items were eligible for a 20% discount, which was
paid via a rebate check from Microsoft.

One day, I ordered some item then canceled it, and a couple months later I got
an email informing me I had been credited for the purchase via MS, and my
rebate account had, $10 or something. It took me about... 30 seconds to
realize the implications of this.

I ordered as many plasma TVs as I could, one at a time, and then canceled
them. I got about $900 of rebate checks before someone got suspicious. They
canceled my account because I was buying too many TVs. They never did figure
out what was going on.

Was it ethical and moral? No. But I hate MS and they've stolen thousands from
me over the years. It felt great to get one over on them.

Edit: I've hated MS since I saved all summer to buy MS-DOS 5 and it was
complete crap.

~~~
wwalser
> But I hate MS and they've stolen thousands from me over the years.

I thought it was a cool story and a neat hack. I passed no ethical judgement.
Until you went off the deep end with that fantasy-land justification.

MS didn't steal from you. You exchanged money for a product that, even if it
was "complete crap", was the product that you desired more than others
available in the market at the time of purchase.

It's not difficult to come up with a justification that passes a sniff test of
conforming with reality: "I felt no ethical hesitation about this. MS shipped
poor code for years. Most of the time the failures of that code most impacted
their customers, I just found a case where it impacted them."

~~~
oceanghost
I was very plain about spoken about being a complete bastard and motivated by
hate. I don't know how I could be any clearer about not being a good person in
this instance.

Fortunately, I don't give a damn what strangers on the internet think about me
:)

My only regret is not stealing more money from them.

~~~
Top19
I very much agree with your ethical justification.

I used to struggle with this too, but then I realized just how much
corporations steal from America.

It wasn’t always like this of course, both consumers/citizens and companies
can go back to treating the other not-like-shit, but companies can go first.

This all hit me one day when I realized that, even if I dedicated my life to
crime and greed, I would never be able to steal/defraud as much as many
companies have in several business hours.

That being said I want to make it clear I pay my taxes in full and take only
the standard deduction.

~~~
oceanghost
Exactly. Thank you.

I don't have morals. I simply reflect them. You treat me ethically, I will
treat you ethically.

MS stole from me, I steal from them. There's no moral high ground here. Just
reality.

~~~
794CD01
Denying the concept of morality is merely a transparent excuse for not feeling
bad about behavior you know to be immoral.

You were doing better in your previous comment when you admitted you were
being a bad person and simply didn't care.

~~~
oceanghost
Acting morally in all cases is denial of the true nature of the universe.

I destroy what is bad, and nurture what is good.

------
vthallam
They should not have used the similar name in the first place during the fork
and the aggressive marketing on CNBC about bcash as the original Bitcoin added
more confusion to the people and as I see the systems too.

Though Anecdotal, none I know even talking about Bitcoin Cash. Can we not
rename it already? It would be better for investors and also Bitcoin Cash
team.

~~~
vim_wannabe
Bitcoin in the name is the only thing that holds the value. Other currencies
have noticed and are quickly naming themselves after Bitcoin, like ZClassic
renaming to Bitcoin Private.

~~~
sillysaurus3
Sounds like it's time for decentralized trademark enforcement.

~~~
gorn
As a blockchain!

~~~
1337biz
Let's draft a whitepaper and szart the ICO tomorrow! We could collect pre
launch eth already here.

~~~
Cyberdog
HackerNewsCoin

