Author

Topic: Why Paypal is not your "pal"... (Read 660 times)

sr. member
Activity: 291
Merit: 250
Scam-Busting PSA: Beware of Black Arrow Software
July 19, 2014, 06:21:35 AM
#4
Considering that it wouldn't be too technically awkward to tie to the user-approval to the amount, I cannot fathom why they don't see it as important to fix this. Even if they don't consider it a vulnerability it would be simply good practice. I think this just need some more exposure.

If you read his original seclist submission, he mentions that PP say it's necessary to allow for variations in shipping post approval. Well, firstly I'd personally consider that an insecure design choice, any variation should require re-approval, but even if they were insistent they wanted to keep that flexibility they could at least cap the variation before re-approval is needed to a $ or %change amount. All these things are trivial to implement and help make it a more secure platform.

Then again, I have no love for PayPal. In fact, I despise it. Which I suppose makes me a hypocrite, as I still use it occasionally when there's no alternative payment processor I prefer listed.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
July 19, 2014, 06:01:04 AM
#3
Well that's just blatant fraud, I don't even think that counts as a bug.

The paypal API could check for different amounts and refuse the process in case of a mismatch. However since PP has no intent to change (fix) this, it might as well be aiding and abetting.
legendary
Activity: 1540
Merit: 1000
July 19, 2014, 05:38:35 AM
#2
Well that's just blatant fraud, I don't even think that counts as a bug.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
July 19, 2014, 05:00:45 AM
#1
Source:  seclists.org/bugtraq/2014/Jul/85
Sp. thanks to:  blog.fefe.de/?ts=ad3707ae (german)

Apparently for paypal its not a bug to change the charged amount after(!) confirmation by the customer.

tl;dr from source:

Quote
**********************
Short description:
**********************
In PayPal Express Checkout the Online-Shop can transfer
any amount, no matter which amount the client actually
confirmed at the PayPal website.


If you are using Paypal allways check the mail. You can not rely on the information you see durring confirmation. Paypal does not even recognize this as bug.
Jump to: