|Posted: Fri, 2004-08-20 22:32|
I want to bring to your attention the possibility of a security risk when using the PayPal Shopping Cart.
While researching some ideas on how to implement a secure payment system in Gallery, I spent some time on this forum looking into various PayPal solutions. On successfully implementing one of them, I noticed that it was very easy to alter the data passed on the URL to the PayPal Shopping Cart. In effect, I was able to change such values as quantity, name, and more importantly, price.
The procedure that I used to reproduce this consistently (8 sites and counting) is provided in this cross-link, which is where I first discovered the problem:
As noted there, I have contacted PayPal directly with this issue and will post their response when I receive an official course of action.
Note also that the problem appears to be with PayPal's own implementation of the PayPal Shopping Cart, as their own demo of the Shopping Cart can be compromised just as easily.
Please be aware of this issue.
Beyond contacting PayPal directly for an answer, I will be investing some time in better understanding secure transaction processing.
One final observation: as of this posting, I have not been able to break the database-centric Jenardo Cart (or related) PayPal implementation using the procedure outlined. That suggests that there is a secure (at least relatively) solution for using PayPal.