Tagged: PayPal Hack
September 29, 2011 at 9:15 am #4437trippMember
Hello, We received this message from a potential “customer”. We don’t know enough to know whether what he is saying is true or not. Can you please advise?
“i visited your website and couldn’t help but notice that it is possible to get your instant downloads for free and that it is also possible to change the prices of your products. i’m a fellow hypnotist and magician from germany who is currently in california for the next year. so please excuse my english. i don’t have any hacking skills, but even i would be able to download your stuff for free.
the problem is, that your website sends the billing data unencrypted to paypal and during this procedure one can easily change the temporary internet data and set any value for it that one wants to pay. so for the instant downloads i would enter 0 and i would get a download link and you would not have the possibility to prevent it. you should also watch out if the prices somebody pay for your stuff is the price that you really set for it before you ship it.
paypal is actually a very safe way to pay, but your website is not. i would suggest to implement paypal in your website (and i mean especially the button that directs you to paypal).
as you probably already noticed i didn’t use this security gap, otherwise you would have gotten a payment of 0$. thats why i want to ask you if i could get one of your programmes for free as some kind of reward for preventing losses.
if you need further information i’m glad to help”September 29, 2011 at 11:06 am #37148wzpModerator
As a security professional, with over 30 years of experience, I’ll address the matter in two parts…
There is no such thing as absolute security, unless you have the resources of a large authoritarian superpower. There are only degrees of risk; balancing the value of what you are trying to protect against who your adversary is. For a real-life example of this in action, just visit a large department store and see their asset protection (anti shoplifting) policies at work.
Most wannabe hackers, and some security people, are of the mentality that because they can always break a window on your house and get in, that your house can never be secure; unless you have no windows; or that it isn’t *really* secure, because they can always blow it up.
As for the specific claim… it doesn’t matter if he changes the data, because PayPal will send an IPN (Instant Payment Notification) back to eStore, which is then verified against the database. If the information doesn’t match, no link will be generated.
Besides, as anyone who has tried offering free products knows, PayPal doesn’t accept zero balance transactions…September 29, 2011 at 11:33 pm #37149adminKeymaster
@tripp, This post will explain why this age old trick does not work with eStore:
Tell that customer to go ahead and make a payment and get the product for free. If he can get it for free using his *trick* then why is he asking you???
- You must be logged in to reply to this topic.