Support » Plugin: Easy Digital Downloads » Security Warning – Stupid PayPal Standard Gateway Implementation

  • Resolved sadvis

    (@sadvis)


    if you’re using PayPal standard with this extension, be advised that the amount of purchase is sent to PayPal in the URL and one can easily buy a $100 product at the price of $0.01 with zero hacking knowledge by just modifying the URL! This is way too stupid implementation and if the rest of the product has the same attitude you should run from it.
    to the dev who wrote this extension: you are a real threat to the wp community and consider finding a physical job which does not require a bit of thinking. a**hole!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author mordauk

    (@mordauk)

    Hi @sadvis!

    You are correct that the purchase details are sent to PayPal in the URL. That is the standard and correct implementation method for PayPal Standard. You can refer to PayPal’s API documentation here for details and examples: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/pps_integration/

    Now, that being said, your concern that anyone can modify the purchase data is completely valid, except that there are behind-the-scenes systems in place specifically to prevent that.

    PayPal uses a system called “Instant Payment Notifications” (IPN) to send data about events happening in your PayPal account back to your website that Easy Digital Downloads is installed on. The IPN system is used for a number of purposes, but one of its primary purposes is specifically to prevent malicious manipulation of purchases.

    When a purchase is submitted through EDD and then completed on PayPal.com, PayPal sends all of the purchase data back to your site as a separate POST request. EDD takes the IPN data and then validates it to ensure nothing was changed. If a change is detected (such as the currency or amount of payment), the payment record is immediately set to Revoked and the customer never receives access to the files.

    If you’d like to see the exact code that handles this, you can find it here: https://github.com/easydigitaldownloads/easy-digital-downloads/blob/master/includes/gateways/paypal-standard.php#L358

    Along with using the IPN data to validate the purchase, EDD also validates the that the IPN data itself has not been modified.

    Note: in order for the IPN verification system to work, IPN needs to be turned on inside of your PayPal account. See our documentation here: https://docs.easydigitaldownloads.com/article/918-paypal-standard

    Unfortunately, the IPN event happens asynchronously – usually a few minutes later – while the EDD system has already sent the purchase receipt – which usually/always includes the download links – and has triggered the edd_complete_purchase and edd_after_payment_actions actions for the manipulated purchase.
    It is also noticeable that even after receiving the IPN indicating failure in the payment, although the payment is marked as failed, the edd_after_payment_actions remains valid and the task will be executed.

    • This reply was modified 11 months, 1 week ago by  sadvis.
    • This reply was modified 11 months, 1 week ago by  sadvis.
    Plugin Author mordauk

    (@mordauk)

    That’s not quite correct.

    The purchase receipt is sent only once the payment is marked as Complete.

    In EDD, there are three ways a purchase through PayPal Standard can be marked as complete:

    1. The PayPal IPN is processed and validated, resulting in the status changing to Complete.

    2. A site manager manually changes the status from Pending to Complete.

    3. Payment Data Transfer (PDT) is enabled in Downloads > Settings > Payment Gateways > PayPal. When this is enabled, the transaction ID is sent in the redirect URL when the customer returns to your site from PayPal. EDD then uses this transaction ID to look up the payment in PayPal to verify everything was valid. If the purchase is valid (and has not been altered), the purchase will be marked as complete.

    You can see the exact code for how the PDT process is handled here: https://github.com/easydigitaldownloads/easy-digital-downloads/blob/master/includes/gateways/paypal-standard.php#L873

    EDD never marks a purchase as complete without first validating it. If, however, you have found a way to make that happen without validation, please let us know by sending the exact replication steps to security@easydigitaldownloads.com so that our security team can address it.

    It is quite obvious that the problem is nested in the PDT and you won’t be harmed if PDT is disabled which is against EDD recommendation.

    Please double check edd_paypal_process_pdt_on_return which only verifies the transaction ID to be valid and associated with the specified token. NO AMOUNT CHECK!
    PDT changes the status from pending to complete automatically.
    and yes, after a few minutes, the IPN detects the price miss match and changes the status from Complete to Failed but too late, we’ve already delivered the product.

    Cheers 😉

    Plugin Author Chris Klosowski

    (@cklosows)

    This has been resolved in EDD 2.9.10. We just released a single issue fix that contains a validation of the payment data prior to marking it as complete when using PDT.

    Thank you for getting us the exact information in how to replicate as initially we were talking about different processes.

    – Chris

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Security Warning – Stupid PayPal Standard Gateway Implementation’ is closed to new replies.