Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 📝 Summary of the Exploit
- G2A’s payment flow can be manipulated using a timezone conflict during transactions. When a custom script alters the browser timezone mid-checkout, the external processor (Bitbay) marks the transaction as expired — but G2A still delivers the product. If the payment exceeds a specific threshold, Bitbay refunds the money automatically, while the user keeps the purchased item.
- Example:
- ● You pay $500
- ● G2A delivers a $500 gift card
- ● Bitbay flags the payment as expired and refunds the BTC
- ● You end up with both the funds and the product
- ❗ Why This Works
- Bitbay relies on time validation between order creation and payment. A client-side timezone shift triggers a mismatch, causing the processor to incorrectly expire the payment. However, G2A’s backend doesn’t detect this and proceeds with fulfillment. This leads to a one-sided gain: funds are refunded, but the product is still delivered.
- 📄 Full explanation:
- 📌PDF: docs.google.com/document/d/17C9Cpyqbl3xfnwqfYv-bxw48vdKU59NuL_BR1a4rlvE/edit?usp=sharing
Advertisement
Add Comment
Please, Sign In to add comment
