Support » Plugin: WordPress Simple Shopping Cart » Security considerations when selling digital goods

  • Hello.

    I’m using this plugin standalone on my wordpress site to sell software licenses. Maybe this plugin is valid for manual sales but It’s insecure and I want to share my findings.

    If you manually check transactions at paypal before sending items, or have additional fraud controls you are safe, so ignore my comments 🙂

    By default you are exposed to several fraud risks if you use this plugin to sell digital goods that should be considered.

    1- eCommerce impersonation: business paypal address are not valided by default. Therefore someone could resend you other ecommerce valid IPN notification and trigger actions one your system.

    as a quick fix por paypal.php code:

    $business = $this->ipn_data[‘business’];
    if ($business != ‘ecommerce@yoursite.com’ ) {
    $this->debug_log(‘INVALID IPN: unknown business: ‘.$business,true);
    die();
    }

    I’ve implemented somo functions to generate software licenses once the IPN is validated however there are some more security considerations:

    2 – IPNs can be send several times by an attacker. Be careful and check if paypal transaction ID was already used ( $txn_id ). Unless you check it you are going to sell items or generate licenses more than once for the same payment.

    3- Prices are not validated: An user can intercept the request generated by the browser and modify the product price before it reaches paypal, because its not using certificate keys. An attacker can set a price of 0.1$ for example.
    Your payment will succeed in the same way as the transaction (IPN) validation once it reaches your wordpress site, because the transaction is valid and was generated from paypal (the only problem is that paypal doesn’t know which price is the real one.)
    Double check your price at $current_cart_item[‘price’] for your cart or mc_gross when paying with a paypal button.

    Regards,

    Andres Tarasco

  • The topic ‘Security considerations when selling digital goods’ is closed to new replies.