Jump to content


Photo

Possible Security Breach?


  • This topic is locked This topic is locked
4 replies to this topic

#1 Guest(old)

Guest(old)

    Junior Member

  • Members
  • 312 posts

Posted 07 December 2002 - 04:31 AM

This may be a dumb question - but for Single Items, what's to stop someone from creating their own form that submits the same info as an existing button, except for a drastically reduced price?

Does the PayPal IPN server verify the referer, which is the incoming form page? I'm guessing that it does so that this does not happen - ie. IPN server only accepts forms from the registered domain name of the particular business owner. Does anyone know about this?

Thanks,

Gene

#2 deleted user: 240

deleted user: 240

    Junior Member

  • Members
  • 185 posts

Posted 07 December 2002 - 01:32 PM

This was discussed in 119, but that is locked.

About the last topics discussed in 119, about instant download of items and changing prices via the web form or link.

I use PayLoadz for automatic download of files. The security problem of changing prices affects them to. A simple solution would be to match the price being sent from PayPal to the price that PayLoadz has on file for each item. If they item's price does not match decline the payment. Also, PayLoadz sends out automatic download e-mails. If the prices do not match, simply do not send out the download e-mail. This way, even if they can't stop the payment, the user will not get that item for any price he wishes. Then I could just refund that payment.

If you can't match the paypal price being sent and the "real" price that PayLoadz has on file, well there would be no need to keep that price, but they do.

I think that would be a simple solution for people to change the prices for instant download items via e-mail. If the two prices don't match, don't send out the e-mail. That's pretty straight forward.

Bryan

#3 deleted user: 240

deleted user: 240

    Junior Member

  • Members
  • 185 posts

Posted 07 December 2002 - 02:11 PM

Thanks Shannon for clearing that up for me. If PayPal did send item specific amounts, how hard would that be to make the change to your service? If that would be simple, I'll lobby PayPal like crazy to send item specific information. It only seems right that they should do that. I mean, each item is specific to it's own variables, so all that should be included.

This is just like their download history for payments. They don't include item id's for that info. You know who and how much they paid, but you don't know what exactly they bought.

Bryan

#4 Guest(old)

Guest(old)

    Junior Member

  • Members
  • 312 posts

Posted 08 December 2002 - 10:15 PM

OK then, I think the best way to resolve this is to allow the merchant a way to specify authorized pages for his account, only from which Form POST requests can originate. The Paypal server will check the referer page and authorize accordingly. In this way, form hacks originating from outside the merchant's site will not get through.

#5 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 09 December 2002 - 11:55 AM

There are a couple this might be addressed:

1. switch to Single Item Purchase since it's common to buy digital goods one at a time.

2. Include a hashed version of the price in a pass-through field and compare it later.

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users