Dibs Module Security Issue

Seems like a person has managed to hack our cs-cart 3 store.

He has placed 2 visa/mastercard orders through the integrated DIBS module and none of the payments got through, only the orders. No transaction ID was returned to cs-cart, but the order was still approved.

Was your store hacked? Or did someone use a stolen credit card?

Your description is not clear to me. When you say “none of the payments got through” are you meaning they were declined? What was the status of the orders after the payment operation?

Someone just placed an order in a normal way, but managed to bypass the visa/mastercard redirection system somehow. So the order was placed in the system in the usual way.

But there was no transaction id in the order info, no response from the credit card company.

It just said “payment method visa/mastercard” and nothing else.

I have no idea how he managed to bypass this redirection. Maybe a bug in cs-cart.

The order should not have been approved without a proper response from the creditcard company.

Too many factors to address openly here. Suggest you open a helpdesk ticket since I'm not familiar with the processor. But my guess is you have a setup issue. Is this just one order and all others are fine? What was the status of the order? It should have been Open if it was not yet processed by a payment provider and a payment provider was known.

This has just happened once in 1000's of orders.

That's why i'm wondering if there is a security bug somewhere in the code in this module.

I've seen some instances where the payment method is just skipped. But this was mostly in V3 sites. I was never able to find a cause. It seemed to be very random.