Buyer modifying payments made on OpenCart system.

Lightspeeda
Contributor
Contributor

Heya people! I was wondering if any of you had experience with an issue I've been having...

 

I help run a virtualware business with a partner of mine. Recently, we've experienced some transactions where it shows that we've received the full payment on our OpenCart invoice, but on PayPal when the transaction information shows up on my statement, the buyer has somehow modified the price of the item to $0.01.

 

I sent an email to PayPal Merchant Technical Support asking how this was possible, but the only thing they could tell me to do is to use the Instant Payment Notification to check every order manually for fraud.

 

Unfortunately, I'm currently the treasurer of the site I work on and the other two people I work with cannot check to see if this glitch has been exploited. As we're selling virtual items, we try to guarantee an instant delivery whenever possible, and it becomes quite the managerial nightmare when I need to personally verify each and every single order.

 

So if any of you might have any insight into this issue, how are these attempted fraudsters modifying the order information, and how can we prevent it from happening in the future? I'm not sure whether the issue here is with OpenCart or with PayPal, but as far as I can tell this shouldn't be possible in the first place.

 

Thanks in advance for any thoughts on this issue.

Login to Me Too
1 ACCEPTED SOLUTION

Accepted Solutions
Solved

PayPal_Frank
Administrator
Administrator

Hi Lightspeeda,

 

Welcome! 🙂

 

PayPal buttons or 3rd party checkouts may contain a variable which sets the amount in plain text..  I'm assuming OpenCart is displaying this amount in the HTML code.  This would allow anyone to modify and submit a checkout with any amount they specify.  Our platform is open in the sense that any developer can create PayPal buttons and checkouts that are compatible with our system.  This means that anybody could create code that allows someone to pay any other PayPal account as long they know that PayPal accounts email address or secure merchant ID.

 

PayPal offers hosted and encrypted button code to prevent these situations. Learn more about encryption here:

 

Securing PayPal Payments Standard Buttons

 

There is a section on that page that describes how to block any payments that have not been sent from an encrypted or PayPal hosted button.

 

So while PayPal does offer a solution to this problem, I know using encryption can make integration a lot harder, especially when using 3rd party shopping cart software or server side generated PayPal button code.  This is probably why most shopping cart providers do not use PayPal encryption.  It's also much easier to troubleshoot issues with unencrypted buttons.  These situations are also rare and most merchants do not see buyers attempt to manipulate their shopping cart code.

 

Using Instant Payment Notifications (IPN) is the easiest way to solve this problem.  IPN is an automatic way to check each payment so you wouldn't need to manually check PayPal each time.  An IPN listener server can instantly verify that the correct amount was paid for a given order or invoice number before automatically delivering the virtual items.  If your server detects that the incorrect amount was paid, it could also use the Refund APIs to automatically issue a refund and void the order.  It's possible that OpenCart already has that functionality built in or it's available as a plugin/extension.

 

I hope this helps. 🙂

 

- Frank

If you see a helpful post, please accept it as a solution or give the author kudos. 🙂 Thanks!

View solution in original post

Login to Me Too
4 REPLIES 4

Lightspeeda
Contributor
Contributor

Bump.

 

This seems like a pretty serious security exploit, anybody have any ideas on what's going on here?

Login to Me Too
Solved

PayPal_Frank
Administrator
Administrator

Hi Lightspeeda,

 

Welcome! 🙂

 

PayPal buttons or 3rd party checkouts may contain a variable which sets the amount in plain text..  I'm assuming OpenCart is displaying this amount in the HTML code.  This would allow anyone to modify and submit a checkout with any amount they specify.  Our platform is open in the sense that any developer can create PayPal buttons and checkouts that are compatible with our system.  This means that anybody could create code that allows someone to pay any other PayPal account as long they know that PayPal accounts email address or secure merchant ID.

 

PayPal offers hosted and encrypted button code to prevent these situations. Learn more about encryption here:

 

Securing PayPal Payments Standard Buttons

 

There is a section on that page that describes how to block any payments that have not been sent from an encrypted or PayPal hosted button.

 

So while PayPal does offer a solution to this problem, I know using encryption can make integration a lot harder, especially when using 3rd party shopping cart software or server side generated PayPal button code.  This is probably why most shopping cart providers do not use PayPal encryption.  It's also much easier to troubleshoot issues with unencrypted buttons.  These situations are also rare and most merchants do not see buyers attempt to manipulate their shopping cart code.

 

Using Instant Payment Notifications (IPN) is the easiest way to solve this problem.  IPN is an automatic way to check each payment so you wouldn't need to manually check PayPal each time.  An IPN listener server can instantly verify that the correct amount was paid for a given order or invoice number before automatically delivering the virtual items.  If your server detects that the incorrect amount was paid, it could also use the Refund APIs to automatically issue a refund and void the order.  It's possible that OpenCart already has that functionality built in or it's available as a plugin/extension.

 

I hope this helps. 🙂

 

- Frank

If you see a helpful post, please accept it as a solution or give the author kudos. 🙂 Thanks!
Login to Me Too

Lightspeeda
Contributor
Contributor

Wow, MUCH appreciated. This is everything I needed to know.

 

Thanks for the response, PayPal_Frank.

Login to Me Too

iantresman
Contributor
Contributor

If only there was a "checksum" or "hash" parameter, generated from specified parameters, then you couldn't change the prices without knowing the new checksum.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.