| Author |
 Topic  |
|
|
Modrnlifer
Starting Member
12 Posts |
 Posted - December 05 2006 : 06:57:17
|
We've had a order made through PayPal but there's no record of it in the PayPal account.
The order shows as completed in the the cart admin area and an email has been triggered from the site which we've recieved but absolutely nothing from PayPal - no email or record of the transaction.
PayPal say they had no problems on the date of the order and the email of person who ordered is not registered to a PayPal account so it looks as if it's been a credit card payment.
We suspect they're hackers as they've not replied to our emails and the telephone isn't being answered but we'd like to be sure that it isn't a technical glitch.
Is bypassing PayPal possible? Could they have just entered the order directly into our SQL database? |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - December 05 2006 : 15:42:17
|
yes, it's possible to do that with standard paypal (I won't explain how here for obvious reasons), and that order is almost certainly a hacker. if you use paypal ipn or paypal pro then it's not possible (as long as it's setup properly)
if you sell downloads on your site, then you need to use paypal pro or paypal ipn or some other gateway, otherwise people will be able to place invalid orders and still get the download links.
that's one of the reasons we don't use paypal anymore for our addon sales, as we sell downloads.
I discovered that gap with standard paypal when I was testing our own site long ago and I was trying to work out an easy way to flag the test order I was making as valid without having to go through admin or making a payment. I was a bit horrified to find that my first basic attempt to do that worked with no problems; at that point we immediately switched to a different gateway.
Note that this is a logical fault/gap with paypal, and not a vpasp bug/problem, and it's only relevant to basic paypal; paypal ipn+pro are fine.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
Edited by - devshb on December 05 2006 16:13:28 |
 |
|
|
Modrnlifer
Starting Member
12 Posts |
Posted - December 05 2006 : 19:02:46
|
Many, many thanks for this info - we are using the standard version & we did suspect it might be a dodgy order. However we're selling jewellery rather than downloads so it's not quite the problem it could have been. I'll pass this info on to the site owner.
Some good came out of it though - it made me review the site thoroughly and upgrade to v9.01. |
Edited by - Modrnlifer on December 05 2006 19:09:15 |
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - December 05 2006 : 19:23:54
|
true; yes, for physical products it's more of an annoyance than a real problem, as long as you double-check your orders against the paypal system then no real harm can come of it.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
|
|
|
Modrnlifer
Starting Member
12 Posts |
Posted - December 06 2006 : 14:07:53
|
You're right it is an annoyance & I've now been looking into PayPal IPN - do you know if there's an additional cost attached to using it?
It seems like I can just enable it on the PayPal account but I don't want to give the site owner a nasty shock. |
Edited by - Modrnlifer on December 06 2006 15:00:02 |
|
|
|
jubjub
VP-CART New User
110 Posts |
Posted - December 06 2006 : 20:14:29
|
| It's free, it'll just require a few configuration changes in Paypal and loading up another set of Paypal files on your server. |
|
|
| |
Topic |
|
All Forums
Possible PayPal hack?
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
