Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PayPal Security Question


shawnm

Recommended Posts

Posted

I have a security question. Recently, we had a customer choose to pay for a $300 item using PayPal and the customer completed payment and the order was marked as paid, however the customer only paid $0.01.

 

In tested it out... and I figured out how the customer did it. The customer went through the site and created an account, then we he got to:

 

https://www.oursite.com/checkout_confirmation.php

 

The customer copied the HTML, pasted it to his local computer and edited it to show the $300 merchandise was only $0.01, then clicked continue on his local computer, PayPal allowed for payment, then marked the order paid on our admin.

 

I have read through the forums, but must be missing how to fix this security issue. Luckily we caught the payment didn't match the order, so we did not process it.

 

Any ideas how to fix this?

 

Thank you in advance.

Shawn

Posted
I have a security question. Recently, we had a customer choose to pay for a $300 item using PayPal and the customer completed payment and the order was marked as paid, however the customer only paid $0.01.

 

In tested it out... and I figured out how the customer did it. The customer went through the site and created an account, then we he got to:

 

https://www.oursite.com/checkout_confirmation.php

 

The customer copied the HTML, pasted it to his local computer and edited it to show the $300 merchandise was only $0.01, then clicked continue on his local computer, PayPal allowed for payment, then marked the order paid on our admin.

 

I have read through the forums, but must be missing how to fix this security issue. Luckily we caught the payment didn't match the order, so we did not process it.

 

Any ideas how to fix this?

 

Thank you in advance.

Shawn

I hope you sent that a customer a nice email and also told paypal what he is doing, something like javascript html encryption on the fly, is needed, that would do the job, dont know if anything like that exists,

Posted
I hope you sent that a customer a nice email and also told paypal what he is doing, something like javascript html encryption on the fly, is needed, that would do the job, dont know if anything like that exists,

 

I did send him an email and contacted PayPal. PayPal did say that the web page needs to be encrypted to prevent this from happening. I checked eBay and their page is encrypted to pass the data to PayPal.

 

I have checked and have not seen anything like it in the contributions. It seems that this had to have happened to more people than just me.

 

Any ideas would be greatly appreciated.

 

Thanks again.

Shawn

Posted

SSL is in use. SSL does not fix this problem as it is not in the transmitting of the data... it is a very simple copy, paste and edit HTML hack.

 

I am surprised that others have not had a problem with this. I have checked other os commerce sites and all the ones I have checked would easily be hackable the same way mine was.

 

There must be a solution.

 

Thanks in advance.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...