Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

PayPal Payment Store Order Hacked
 
michaelc
Member
 
Avatar
Total Posts:  64
Joined:  2008-05-21
Qld, Australia
 

Just wanted to report this to the forum in case anyone else encounters the same issue.
Over the past couple of days we have had a single customer work out how to reduce the ordered items value to $0.01 each when using PayPal as their payment option. What drew our attention to the issue, was that they did a couple of very large value orders over a period of 2 days, the order values in the site and admin was correct. Our fraud module didn’t show the orders up as fraudulent (as it was PayPal), but the PayPal IPN “comments” on the order kept repeating itself up to 12 times while processing the order. When we checked the order in PayPal, the items had transferred correctly, but it was coming up as $0.23 total order value with 23 items at $0.01 each.

No other PayPal or credit card orders placed have ever incurred this issue via either of our websites.
We called PayPal support as soon as we picked this up, they we able to immediately confirm the orders as fraudulent, and also confirmed that the user/customer had done this to other merchants as well (PayPal was not specific on how many or who). PayPal said this user will have their account canceled immediately.

PayPal recommended that we check our site for any potential issues however.
As this hasn’t happened before to us, and I’ve never heard of this on the forums either, can anyone else add any information to this potentially serious issue between Magento and PayPal? Our site is running on community version 1.4.1.1

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hello,

first of all: thank you for these notice!

Did you figure out if this bug exists in Magento or on Paypals systems?
If the data is transferred correctly to Paypal (maybe you have log files about the sended requests in your paypal ipn log), then Paypal has to care about this bug.
But on the other side, if the amount is already wrong when sended to Paypal, it is a Magento bug.

Thanks, thebod

 
Magento Community Magento Community
Magento Community
Magento Community
 
michaelc
Member
 
Avatar
Total Posts:  64
Joined:  2008-05-21
Qld, Australia
 

Hi thebod,

Unfortunately we weren’t generating a PayPal log at the time.
PayPal received the all the items as $0.01 and reported back to our admin that same value via the IPN comment.
So essentially our PayPal admin account and the IPN reported back to our website matched. However, the order itself had all the correct store values and the total sales order value was the correct amount.

Somehow the hacker has told PayPal the items were all $0.01 and then restored the amounts to be correct when the order was created.

To make things more interesting, I canceled the most recent order made this morning, then a PayPal IPN was resent 45 minutes later which re-opened the order… at the moment I\’m thinking either the user is spoofing PayPal and sending a fraudulent IPN via the API (previously they may have worked out how to capture the PayPal token), or the PayPal account has been hacked.

We also checked with our host to ensure our security setting were correct.
They confirmed we have locked down everything correctly and the servers were secure behind our firewall.

Any other thoughts on this would be greatly appreciated.

 
Magento Community Magento Community
Magento Community
Magento Community
 
michaelc
Member
 
Avatar
Total Posts:  64
Joined:  2008-05-21
Qld, Australia
 

Ok, to further update this issue, we have discussed this with PayPal again.

PayPal has confirmed that their Fraud team has black listed the origin IP for these orders for us, and will flag any orders coming from this origin.
They have also confirmed that the customer has not hacked PayPal or our website, but instead edited the HTML in their browser upon sending the order through to PayPal. Now this is incredibly difficult to do, and PayPal said that it is very rare, but it does and can happen.

Still for us, this is a big concern and would love if anyone else can contribute any further details about this issue.

Cheers.

 
Magento Community Magento Community
Magento Community
Magento Community
 
michaelc
Member
 
Avatar
Total Posts:  64
Joined:  2008-05-21
Qld, Australia
 

Ok, this is just so I can let everyone know what I have found.

There is a free Firefox Add-On module that allows anyone to capture order data “in-line” with their browser and edit the information as it is submitted to PayPal. I won’t go into the details here, but basically if anyone is getting PayPal IPN responses with only a few cents as their dollar value, especially when it on a high value orders, then chances are you’ve been virtually shoplifted.

Most Fraud modules won’t pick this up, however, we are talking to a developer of the fraud module we use, and they can place a check between the total order value in Magento and what the PayPal IPN $ response is. Essentially, if there is a discrepancy between the values, then the order is put on hold and flagged to be checked.

This is not restricted to Magento, and can potentially happen to any online store using PayPal “Standard” as a payment gateway.
I don’t think this will work on PayPal Express however, and some credit card processors may have it fail on as well.

Thought I’d just let everyone know to be on the look out for this kind of issue.

Cheers

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hello,

yes, spoofing/manipulating requests is very simple (you don’t even have to use Firefox).

So it seems as if the problem is on Paypals site, because they don’t make sure the all of the data is originally from the Shop.
This could be resolved by sending a hash of the data, including a shared secret, which would result in a non-fakeable request. But that is Paypals business.

What I wanted to make sure is that we don’t deal with a pure Magento issue here wink

 
Magento Community Magento Community
Magento Community
Magento Community
 
RapidSSLcerts
Jr. Member
 
Total Posts:  2
Joined:  2012-02-08
 

We believe that may be there was issue with Paypal order processing but if we check that received amount is right figure as result of this we can not say that Pay pal has bug but we can bring update to Pay Pal support team.

If we think about magneto then i don\’t think so that fraud module has bug because it\’s too accurate if any fraud will be there it will be tracked immediately by it.

My concern is that we need to check one more time as testing order of entire system including magneto module and pay pal system.

Thanks & Regards

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top