Possible Security Breach?
Posted 07 December 2002 - 04:31 AM
Does the PayPal IPN server verify the referer, which is the incoming form page? I'm guessing that it does so that this does not happen - ie. IPN server only accepts forms from the registered domain name of the particular business owner. Does anyone know about this?
Posted 07 December 2002 - 01:32 PM
About the last topics discussed in 119, about instant download of items and changing prices via the web form or link.
I use PayLoadz for automatic download of files. The security problem of changing prices affects them to. A simple solution would be to match the price being sent from PayPal to the price that PayLoadz has on file for each item. If they item's price does not match decline the payment. Also, PayLoadz sends out automatic download e-mails. If the prices do not match, simply do not send out the download e-mail. This way, even if they can't stop the payment, the user will not get that item for any price he wishes. Then I could just refund that payment.
If you can't match the paypal price being sent and the "real" price that PayLoadz has on file, well there would be no need to keep that price, but they do.
I think that would be a simple solution for people to change the prices for instant download items via e-mail. If the two prices don't match, don't send out the e-mail. That's pretty straight forward.
Posted 07 December 2002 - 02:11 PM
This is just like their download history for payments. They don't include item id's for that info. You know who and how much they paid, but you don't know what exactly they bought.
Posted 08 December 2002 - 10:15 PM
Posted 09 December 2002 - 11:55 AM
1. switch to Single Item Purchase since it's common to buy digital goods one at a time.
2. Include a hashed version of the price in a pass-through field and compare it later.
Dev Net: https://www.paypal.com/pdn
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users