Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- π Summary of the Exploit
- G2Aβs payment flow can be manipulated using a timezone conflict during transactions. When a custom script alters the browser timezone mid-checkout, the external processor (Bitbay) marks the transaction as expired β but G2A still delivers the product. If the payment exceeds a specific threshold, Bitbay refunds the money automatically, while the user keeps the purchased item.
- Example:
- β You pay $500
- β G2A delivers a $500 gift card
- β Bitbay flags the payment as expired and refunds the BTC
- β You end up with both the funds and the product
- β Why This Works
- Bitbay relies on time validation between order creation and payment. A client-side timezone shift triggers a mismatch, causing the processor to incorrectly expire the payment. However, G2Aβs backend doesnβt detect this and proceeds with fulfillment. This leads to a one-sided gain: funds are refunded, but the product is still delivered.
- π Full explanation:
- πPDF: docs.google.com/document/d/17C9Cpyqbl3xfnwqfYv-bxw48vdKU59NuL_BR1a4rlvE/edit?usp=sharing
Advertisement
Add Comment
Please, Sign In to add comment
