I found this secrity problem with 2checkout.
when i want to do a payment from my own website, i get redirected to https://www.2checkout.com/2co/buyer/purchase
sofar so good. However, when i wait long enough (I presume untill the session is over) and I click on the 2CO/CHECKOUT button, i get to see all the variables as a GET. At that moment I can change the total amount to whatever I want and then proceed to the next step. And see, the amount I have to pay is changed to what i filled in.
The same problem arises when I setup a connection throug curl and redirect to the proper page.
3 Comments »
+1
-1
When using the 2Checkout system, suppliers must pass the information about the sale to our purchase routine so customers can enter their credit card number and billing information. The credit card and payment information must be entered on our pages and cannot be accepted on your website.
Our system works using HTML forms and, as is the nature of this technology, it will be possible for someone to attempt to edit the total parameter. We do not see this as an issue and I have not encountered a supplier who has had an issue with someone editing the price for a product or service they wish to purchase.
There are some precautions a supplier can take to make sure they are protected from people who may wish to access the product they offer without paying or for less than you charge. First I suggest that all vendors, especially those selling instant download type products, turn off the ability to use the Demo parameter within their account. To do this suppliers will need to log into their 2Checkout account and navigate to the Look & Feel settings. This page of settings includes the “Account Demo Settings” where you can set the Demo setting to OFF. Click here for more detailed instructions.
Suppliers concerned with someone editing the total of a sale can do 2 things. They can switch parameter sets and use the Plug and Play parameter set. This set works off passing a product ID and quantity to the system and 2Checkout calculates the total based on the products you have created in your account. This will automatically remove the ability to edit the total and will only leave the customer the ability to edit the quantity of the products purchased on the cart. If a customer said they wanted to buy 2 of an item off your site and then on the 2Checkout cart changed this to only 1, you would be notified in your sales email and on your 2Checkout sales details page. Understandably, this parameter set change will not work for all suppliers, particularly the ones using a 3rd party cart system.
The second action suppliers can take is to implement the MD5 hash. This would require the supplier to calculate and store the total before passing the customer to our pages. Then after the sale when the customer is returned to your Approved URL you will need to calculate the MD5 hash with your total and compare it to the MD5 hash we sent back to you. If your customer edited the total, the hash we send back would not match your hash and you would know that the customer edited the total or used the demo parameter. More information on the MD5 hash can be found here. Suppliers with cart systems can also do something as simple as storing the total on their system and comparing that to the total we pass back to you, which will reflect any change made to it on our pages. If you sell an egood that customers can download right after a successful purchase you could even do a simple comparison of the total passed back to your site from 2Checkout and the total that you charge from your product before displaying a download link to that individual.
+0
-1
To be honest, I find this an unacceptable answer. My customers don’t even get to see the data that I send to 2checkout and I expect 2checkout to treat my data as stealthy as possible. the fact that i get to see the data after what i suspect is a session end, and that i can change that at will is definately a security risk. After a session ends, customers should get to see a message that the session has ended and that the sales cannot continue, something like that.
I expect 2checkout to solve this problem ASAP!!
+0
-0
ericbb - A 2checkout session is created when a customer visits our site. If you visit our site and start a session, then leave our site and wait until that session has expired, when you come back to the 2Checkout site you will be given a new session ID and a new session will start. We will not show an error to the customer as this would prevent many customers from being able to place an order.