This topic contains 1 reply, has 2 voices. Last updated by Bruce 3 years, 9 months ago.
Topic Author | Topic |
---|---|
Posted: Friday Apr 12th, 2013 at 1:00 pm #47315 | |
We recently received notice from PayPal that we received $0.01 payment for a product we sell at $79 through s2Member Pro. When we tracked down the root cause, we found that the user had changed the payment amount in the rendered HTML produced from our [s2Member-PayPal-Button … /] shortcode. It turns out that this is very easy to hack if you use any modern browser that allows you to modify HTML or form data ( http://letsearndollar.blogspot.com/2009/07/change-any-paypal-price-with-data.html ). PayPal strongly recommends using Protected Payment Buttons, as described here: https://cms.paypal.com/mx/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q My question – Is there a workaround that I can use to secure my s2Member PayPal buttons now? I could abandon the [s2Member-PayPal-Button … /] shortcode approach by attempting to generate near-the-same PayPal buttons through the PayPal web site. Will this break s2Member integration? As a long term solution, I advocate that s2Member dynamically generate Protected PayPal buttons through their API as described here: https://cms.paypal.com/mx/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q Looking forward to finding a solution that prevents price and inventory tampering. Thoughts and recommendations welcome. Thank you! |