News:

Looking for documentation? Take a look on our wiki

Main Menu

paypal payment [SOLVED]

Started by guardiano78, March 21, 2018, 19:53:15 PM

Previous topic - Next topic

guardiano78

Hello,
i have some question about paypal plugin.

I try to explain with an example of what happened to me:
One customer made the order no. 110 for a cost of $ 100.00
He chose to pay with paypal.
During the payment process the customer was able to change the amount of the order; So for the order no.110 I received a payment of only $ 0.50
I contacted the client (who is a developer) and he told me that the data transfer to paypal is not encrypted and therefore he was able to change the amount of the order.

There seems to be a security problem in the paypal plugin.
Do you find it?

He suggest to me to encrypt the sending of data to paypal.

If I update virtuemart and its plugins to the latest version, do I solve the problem?
Or can you tell me how I can solve?

Thanks!

joomla 3.7.2 - VirtueMart 3.2.2

kishoreonwork


Yes , paypal standard payment is client side technology and there is always possibility of fraud.

But paypal send ipn messaages to your website with payment details. And with ipn message we can check the order details and confirm the order based on order details.
Yes, I can confirm payapal plugin always check the order amount with ipn data and will not confirm the order if order value is mismatched.
So there is no need to much worry about it as paypal plugin is safe.

Thanks
Kishore

I am available for paid joomla and virtuemart consulting.
http://www.kishoreweblabs.com/
skype kishore2607

alatak

Hello

QuoteDuring the payment process the customer was able to change the amount of the order; So for the order no.110 I received a payment of only $ 0.50
Yes it is true, anyone can do that as well as changing other values (i am not going to tell you which one :) )
It is an issue that we solved years ago:
when receiving the IPN that validates the order, we check among other things that the amount is correct. If it is not than the order is not confirmed.

Could it be that you have misconfigurate the paypal plugin ?

guardiano78

Hello,
thanks for the reply.
I attach my plugin configuration.

Do you think that if i update my joomla and my virtuemart i can solve this specific problem?

Or do i have to give up? :-)

Thank you all.

kishoreonwork

i believe they are good , order will always remain Pending if  order amount is mismatched.

Thanks
Kishore
I am available for paid joomla and virtuemart consulting.
http://www.kishoreweblabs.com/
skype kishore2607

guardiano78

Hi Kishore,
thank you for quick response.

Excuse me if I insist, but according to you, doing the upgrades I solve the problem for which I opened this topic?

thank you.

AH

#6
Most of us think that there is not a "problem"

Upgrading will be a good idea - but it is not a plugin problem.

Someone tampered with PayPal POST data - that is possible if you use PayPal std

The payment was made for the wrong amount.

The VM plugin handles the PayPal IPN message which PayPal send you.  Fraud checks are made at this point by VM and an email is triggered - showing the discrepancy between Mcgross (paypal funds paid) and the VM order value.

Your order in such a case will not get updated to confirmed and will remain at a Pending status.

You handle the email and manage this message. Namely - do not ship the goods if Pending and consider how you cancel the transaction.

QuoteI contacted the client (who is a developer) and he told me that the data transfer to paypal is not encrypted

PayPal Standard is not an encrypted service. 

Secondly, why was the developer deliberately intercepting and "adjusting" the PayPal POST data?

He has attempted to defraud you - You may want to contact the authorities.



Regards
A

Joomla 4.4.5
php 8.1

alatak

Hello

QuoteDuring the payment process the customer was able to change the amount of the order; So for the order no.110 I received a payment of only $ 0.50

What is the order status of that order? Pending ? don't deliver the goods

guardiano78

QuoteWhat is the order status of that order? Pending ? don't deliver the goods
Yes, order status remain to pending!

Anyway, if i decide to use "Express Checkout", i solve this my little problem?

Thanks.

alatak


Hello
It is not a problem.
Your order is pending, whatever is the payment you use, you should not deliver , that is it :)

guardiano78


It is not a problem.
Your order is pending, whatever is the payment you use, you should not deliver , that is it :)

I'm sorry I expressed myself badly, I understood that this is not a problem. I will not send order items :-)

But I would like users not to be able to make changes to the paypal payment order amount, as unfortunately happened to me.

If I use "Express Checkout" could I be more protected about what happened to me?
Thank you.

alatak

Hello

yes, this problem only concerns paypal standard.
with Express Checkout, you do not have it

guardiano78

Thank you alatak, i'll try this.
Bye