Home > Uncategorized > #Paypal #IPN vulnerability – and how to fix it.

#Paypal #IPN vulnerability – and how to fix it.

December 8, 2016 Leave a comment Go to comments

paypal-earnings

The other day, I got a notification of a paypal payment for £0.01, which was odd, but I didn’t realise the significance until a few days later, when I realised that someone had managed to buy 800 euros of credit for only £0.01

The hack was, that the user modified the payment link to change the price, by changing the amount parameter:

https://www.paypal.com/cgi-bin/webscr?…&amount=800

to

https://www.paypal.com/cgi-bin/webscr?…&amount=0.01

But left the “custom” field the same, which typically indicates the basket ID. When the IPN callback was called, it was passed the correct basket ID, but an incorrect mc_gross value. This lead to the user being credited with 800 euros worth, but only paying £0.01

A similar hack could have been done by changing the currency from GBP to JPY.

Simple fix:

In the IPN callback check that the mc_gross and mc_currency matches the expected total in the basket, or include a salted hash of the amount and currency in the custom field

PS: This issue has now been fixed on our website, don’t even bother trying this hack! 🙂

 

Advertisement
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: