Exploiting the Microsecond Gap Between Payment and Inventory Check
The target was a high-traffic electronics retailer. Their checkout process was sleek and fast. Too fast. While testing, I noticed that when I added the last item in stock to my cart, the site would sometimes flicker between “In Stock” and “Out of Stock” if I spammed the “Add to Cart” button. That flicker was the hint. It represented a tiny gap — a few milliseconds — where the application’s logic was vulnerable. By weaponizing this gap with a carefully timed script, I was able to trick their system into letting me purchase a $3,000 drone after it was officially out of stock, paying only a fractional penny. This flaw, a race condition, earned a $2500 bounty.
Press enter or click to view image in full size
What is a Race Condition?
In simple terms, a race condition occurs when the output of a process is unexpectedly dependent on the sequence or timing of other uncontrollable events. It’s like two threads (or processes) running a race, and the flawed outcome depends on who finishes first.
In web security, it often happens when:
- A system checks a condition (e.g., “Is there stock available?”).