s2Member PayPal buttons vulnerable to hacking

We recently received notice from PayPal that we received $0.01 payment for a product we sell at $79 through s2Member Pro.

When we tracked down the root cause, we found that the user had changed the payment amount in the rendered HTML produced from our [s2Member-PayPal-Button … /] shortcode. It turns out that this is very easy to hack if you use any modern browser that allows you to modify HTML or form data ( http://letsearndollar.blogspot.com/2009/07/change-any-paypal-price-with-data.html ).

PayPal strongly recommends using Protected Payment Buttons, as described here: https://cms.paypal.com/mx/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q

My question – Is there a workaround that I can use to secure my s2Member PayPal buttons now?

I could abandon the [s2Member-PayPal-Button … /] shortcode approach by attempting to generate near-the-same PayPal buttons through the PayPal web site. Will this break s2Member integration?

As a long term solution, I advocate that s2Member dynamically generate Protected PayPal buttons through their API as described here: https://cms.paypal.com/mx/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q

Looking forward to finding a solution that prevents price and inventory tampering. Thoughts and recommendations welcome. Thank you!

Thank you for your inquiry.

You need to turn on Encryption. s2Member lets you do this in your PayPal Options. See:

Dashboard -› s2Member® -› PayPal® Options -› Account Details -› Enable Button Encryption?