Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Paypal exploit ! Rate Topic   - - - - -

 
  • evecookies
  • Member
  • Members
  • Join Date: 07-Mar 07
  • 58 posts

Posted 28 December 2008 - 05:37 PM #1

Hello.

I've encountered today an exploit that worries me. A "customer" has placed an order of 184 USD but the payment received via Paypal was 0.01 USD

First i thought that the user made have placed an order but he would not finalize it and then send via Paypal a small payment to try to trick me in thinking he paid for that order.

This is not the case. The order was recorded by the cart as being processed (email was sent also). This means that the buyer did placed the order via the shopping cart redirect. Else the order should have had an open status.

I also know that after being redirected to Paypal, the buyer can't change the value that he has to pay.

In the order processed email received from my cs-cart installation (1.3.5 sp2) the cart content is normal but in the payment-received-email from paypal one item is "worth" 0.01 and all others 0.00.

I've also emailed paypal but i would also appreciate your help.

Has anyone encounter this before ? If yes, what can be done.

How was this possible ?

 

Posted 29 December 2008 - 01:58 AM #2

Eve, this is an exploit with PAYPAL, not cs-cart.
There is little, or nothing that CS-Cart can do.

I've been aware of this exploit for a long time now, it has it's uses obviously however it's paypal that should be required to sort this out.

I suggest contacting Paypal provisioning what you've told us.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • evecookies
  • Member
  • Members
  • Join Date: 07-Mar 07
  • 58 posts

Posted 29 December 2008 - 10:01 AM #3

Thank you Jesse.

You imagine i did. However their customer support is the ****EST ever. I've used the resolution center and their 5-6 replies were CLUELESS generic messages. First they told me that my button integration is not correctly implemented. They did not even read the whole message where i've mentioned that only 2 orders from the same person out of a total of 3700 orders are exploited and the rest works perectly.
Then they said i should contact merchant support. When i told them (a 3rd time) i do not need technical assistance and that i just only want to report an exploit they reply with a generic message telling me how to report an unauthorized transaction made from my Paypal account. LOL. Completely and utterly useless to try to communicate with them. Let alone sort this out.

I guess i'll just have to keep an eye on all payments received from now on.

 
  • ThomH
  • Senior Member
  • Members
  • Join Date: 20-Nov 07
  • 1572 posts

Posted 29 December 2008 - 10:45 AM #4

This was occured to us too.
The payment was initiated from Netherlands, by one individual called "dennis de graaf" address: twentebad 54 76212 hengelo Netherlands.(probably fake!)
Than this individual (on an other name) initiates an other order, paid the amount then reported "An unauthorized account activity" to paypal.
Here is his webpage: yourgrafix.com

Also contacted paypal without any "appreciable answer" !!!
Also opened a ticket on helpdesk.

We have developped a solution to verify paypal payments and now is in test phase.

WebGraphiq offers a wide range of professionally developed, ready to use CS-Cart add-ons to provide additional functionality and boost your sales. The oldest active CS-Cart add-on development team. -- Since 2006 --


CS-CART ADD-ONS | FREE QUOTE | CS-CART DEVELOPMENT | @webgraphiq


 

Posted 29 December 2008 - 10:46 AM #5

Yep,

It's the same reason why eBay is dying, lack of support and mundane generic responses to important queries.

Half the reason why I choose not to use Paypal for my other stores (southeastauto excluded) is that it's the quickest and least expensive processor for me to setup. But don't put your mortgage on it.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • d2event
  • Junior Member
  • Members
  • Join Date: 30-Jan 08
  • 13 posts

Posted 04 January 2009 - 02:55 PM #6

Hello.

I've encountered today an exploit that worries me. A "customer" has placed an order of 184 USD but the payment received via Paypal was 0.01 USD

First i thought that the user made have placed an order but he would not finalize it and then send via Paypal a small payment to try to trick me in thinking he paid for that order.

This is not the case. The order was recorded by the cart as being processed (email was sent also). This means that the buyer did placed the order via the shopping cart redirect. Else the order should have had an open status.

I also know that after being redirected to Paypal, the buyer can't change the value that he has to pay.

In the order processed email received from my cs-cart installation (1.3.5 sp2) the cart content is normal but in the payment-received-email from paypal one item is "worth" 0.01 and all others 0.00.

I've also emailed paypal but i would also appreciate your help.

Has anyone encounter this before ? If yes, what can be done.

How was this possible ?


I use cs cart 1.3.5 sp4

I had same order with this bug, Its paypal module exploit , not paypal exploit. I have another store with different script and I never had such bug!

I always deliver products without loggin on paypal (I use API only) - scammer found way to pay 0.01 USD and change status to paid.

 
  • evecookies
  • Member
  • Members
  • Join Date: 07-Mar 07
  • 58 posts

Posted 04 January 2009 - 03:40 PM #7

For me this exploit only "works" for anonymous checkouts. At least i think so because all attempts were made from an unregistered user.

I've now disable the "Allow anonymous checkout" option and i hope it will never happen again.

 
  • Palmtop
  • Senior Member
  • Members
  • Join Date: 15-Feb 07
  • 310 posts

Posted 04 July 2009 - 01:31 PM #8

Today to me:

Ordered items for 507,01 EURO...... received 0,03 EURO through Paypal.....

CS-Cart 1.3.5SP4 .... any ideas?

This also happens in 2.05 ?

Regards

 
  • ThomH
  • Senior Member
  • Members
  • Join Date: 20-Nov 07
  • 1572 posts

Posted 04 July 2009 - 01:44 PM #9

Today to me:

Ordered items for 507,01 EURO...... received 0,03 EURO through Paypal.....

CS-Cart 1.3.5SP4 .... any ideas?

This also happens in 2.05 ?

Regards


Read my response #4.

The mod developped by us is working fine on our webshop ( v1.3.5-sp4), protecting us from these payments.
Also got some fake orders, but the mod changed automatically the order status to "Declined". Is a paypal exploit.
Not tested in 2.0.5, but can be converted.
There is not released a fix from paypal or cs-cart.

WebGraphiq offers a wide range of professionally developed, ready to use CS-Cart add-ons to provide additional functionality and boost your sales. The oldest active CS-Cart add-on development team. -- Since 2006 --


CS-CART ADD-ONS | FREE QUOTE | CS-CART DEVELOPMENT | @webgraphiq