Ignoring the amount customers confirm is no security bug according to PayPal (opens in new tab)

(seclists.org)

173 pointsdavid_b11y ago36 comments

36 comments

I've implemented express checkout on a few carts I've written. It isn't possible to calculate the shipping cost/method until the user gives at at minimum their zip code and country. So basically the flow of Express Checkout doesn't allow this since that information is sent back once they authorize a charge and return to your site. At that point the customer is prompted with an order confirmation, final total and to select their shipping information. When they click confirm the charge is actually made. Express Checkout is extremely popular on all of the sites I've worked with and is probably quickest payment method people can use. In the 6+ years we've been using it we have not had one single complaint about charging the wrong amount shown on the PayPal confirmation page. Customers understand they must select their shipping method and I would rather not have them enter duplicate information.

I am confused how this "bug" is any different that using something like the payments pro API. Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.

lawl11y ago

I wouldn't mind entering my ZIP to precalculate the shipping costs. But seriously, Shipping costs are a lame excuse. There is nothing that stops paypal to call back to the shop to get the shipping costs. Or just make a CORS request from the browser itself and have the shop sign the shipping costs so paypal knows.

> Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.

Which is exactly why I only use shops with paypal where I see the amount charged on paypal.com if I don't completely trust the shop. I was under the impression that this was the value paypal provides. Apparently I was wrong. Might as well get a prepaid credit card now.

marze11y ago

Of course it is a bug. Proper behavior would be to confirm the amount plus shipping, or at very least, limit the change to an amount no greater than $20 more than what was confirmed.

anujnayar11y ago

Hi - It's anuj Nayar from PayPal. I can confirm that through our Bug Bounty Program a researcher reported this suspected vulnerability with our PayPal Express Checkout.

After looking into the issue, we don't think this is in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers. We offer robust buyer and seller protection to cover both ends of the transaction and our systems are pretty good at finding and flagging this kind of illegal behavior if a merchant were to start overcharging your customers.

beejiu11y ago

This is how it has always been; it's written in the documentation. I don't personally consider this a bug, since a retailer could feasibly accept a credit card and charge whatever they want to it. The fact the PayPal allows the amount to be changed is not dangerous, because PayPal holds the liability and any charges can be reversed. Furthermore, the business who charges consumers without consent will be committing fraud.

thejosh11y ago

It's a flaw though. A user trusts that the amount that they see in PayPal ($19.95) is what they will be charged when they click accept - not $21.95 or $25.95 or $2,000.

It's different if you are having your customers type in their details, even though they hope you will charge them $19.95, and not double charge them or steal their credit card information - this is a reason why people use PayPal.

But yeah, like you said it is fraud, though a business could argue shipping charges or tax or "addon pricing" or whatever for a small amount (a company I would see doing this is GoDaddy), but larger amounts their PayPal account would probably be banned.

Hermel11y ago

> any charges can be reversed

Good luck with that. It's very hard to get your money back when the merchant knows how to answer Paypal's questions. I failed at doing so when a merchant sold me something he could not deliver and then insisted on giving me a voucher instead returning my money.

MichaelApproved11y ago

This story is going to need more detail because one of the biggest complaints merchants have is how PayPal will pretty much always side with the customer.

1 more reply

EGreg11y ago

PayPal nearly always sides with customers in a chargeback dispute. I'm not sure how this business was able to get around that.

jackweirdy11y ago

True, but how many customers read the documentation? If that's the way it is, the user should at least be told that on the checkout screen.

beejiu11y ago

It's shouldn't really affect customers in any way. By terms of Express Checkout, after returning from the authorization at PayPal (which is NOT a checkout screen), the business must show the final checkout screen with the finalised price. If the business doesn't do this, it is the business committing fraud. PayPal is rather good at holding payments from businesses until they are happy everything is legitimate.

1 more reply

onewaystreet11y ago

It doesn't really matter because the customer isn't on the line. It's PayPal that is. Considering how fanatically PayPal fights fraud, that they don't consider this an issue pretty much tells you that it isn't one.

1 more reply

david_bOP11y ago

While I can see how this behaviour of PayPal is close to credit cards, I cannot see how they can show an amount that may be incorrect - they could just ask the shop whether the amount is final or not and indicate that in some way.

I wouldn't be astonished to see chargebacks (by buyers who think they were overcharged) resulting from this - that can hardly be in anyones interest.

seabee11y ago

If a bug causes behaviour that everybody expects, is it still a bug?

EGreg11y ago

Who is everybody? I never knew a website could charge via paypal $200 more than what I authorized. I thought PayPal was different than credit cards!

1 more reply

bencoder11y ago

I recently integrated paypal. I did a test to see how much extra we could charge if the customer chose an obscure shipping address and there didn't appear to be any limits like I was expecting(I was expecting a percentage +- of the "confirmed" amount).

I asked paypal and they confirmed that there's no limit.

It is a little weird, but since paypal always sides with customers in disputes, it's probably not so bad if you get hit with this.

mathias11y ago

I spotted this earlier this week when ordering a t-shirt through TeeSpring using PayPal. I authorized a payment of 22.95 USD. Here’s a screenshot from the payment confirmation email I received: http://i.imgur.com/BGjKcsW.png The math doesn’t quite add up.

splitbrain11y ago

This confuses the heck out of me every time I have to work with the Paypal API. I never understood why they implemented it this way. It makes absolutely no sense IMHO but has always been this way. I'm surprised that this isn't used much more often for fraud.

beejiu11y ago

Some businesses store their delivery costs at PayPal (by country), rather than on their own servers. Hence, they have to go to PayPal to determine these costs. But then, that's just rather poor implementation on part of the retailer.

habosa11y ago

Seems like the sort of trust system that is common in restaurants.

1) You get the check with a total of food and drink.

2) The waiter/waitress takes your card to the register for authorization.

3) You get your card back.

4) You hand-write the tip amount and total, then walk away. You trust the merchant to charge the amount you wrote.

5) The restaurant charges the amount you wrote, but you don't know this for sure until you check your statement.

kuschku11y ago

Here in Germany it works like this:

1) You get the check with a total 2) the waiter hands you a mobile card terminal (like this: http://pay-tec.de/cms/paytec/wp-content/uploads/2014/04/1.jp... ) 3) You put your card in the terminal 4) waiter enters amount to pay + what you said you'd tip 5) You see the total, enter your PIN, press confirm 6) waiter hands you back your card.

alistairSH11y ago

The US lags behind in card payment systems. We usually hand the card over to the wait staff, they carry it away to a remote terminal (and we trust that they don't copy the card while in their possession), then we manually enter a tip after the fact.

efuquen11y ago

Yes, this is how it works in many places in Europe. I really wish I saw this in the US, such a shame.

true_religion11y ago

Not really common in European restuarants. They bring you a card machine, you swipe and add the tip right there on the machine.

arrel11y ago

This is the magic if market dynamics. If a business fraudulently takes advantage of this they will not build up a customer base, paypal will shut down their account, and money will be refunded. PayPal is taking most of the risk so that businesses can be flexible and provide a better experience.

It's not a bug, it's the way things should work with more services. PayPal's product may be outdated in many ways, but this is not one of them.

jdong11y ago

This is hardly an issue with a system that by design allows payment reversals. If you get defrauded, just chargeback.

arjie11y ago

Now I have to pay, then verify each payment manually. This is the job I thought PayPal was doing for me. Instead they've created more work since now I have to check two places to make sure charges are correct: my credit card statement and PayPal.

LeicaLatte11y ago

They don't have David Marcus anymore to respond in these forums. Poor PayPal.

anujnayar11y ago

Hi - its Anuj Nayar, senior director of global initiatives at PayPal. I have been reading this string with interest. We offer both buyer and seller protection to try and make sure we cover everyone. We do not always side with the buyer. On the restaurant payment side, we have been rolling out mobile payments solutions at places around the world, that let you check out and pay from your phone (inc tip). You are notified via text and email as soon as it goes through.

LeicaLatte11y ago

👍

j / k navigate · click thread line to collapse

36 comments

benmorris11y ago

lawl11y ago

> Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.

marze11y ago

Of course it is a bug. Proper behavior would be to confirm the amount plus shipping, or at very least, limit the change to an amount no greater than $20 more than what was confirmed.

anujnayar11y ago

Hi - It's anuj Nayar from PayPal. I can confirm that through our Bug Bounty Program a researcher reported this suspected vulnerability with our PayPal Express Checkout.

beejiu11y ago

thejosh11y ago

It's a flaw though. A user trusts that the amount that they see in PayPal ($19.95) is what they will be charged when they click accept - not $21.95 or $25.95 or $2,000.

Hermel11y ago

> any charges can be reversed

MichaelApproved11y ago

This story is going to need more detail because one of the biggest complaints merchants have is how PayPal will pretty much always side with the customer.

1 more reply

EGreg11y ago

PayPal nearly always sides with customers in a chargeback dispute. I'm not sure how this business was able to get around that.

jackweirdy11y ago

True, but how many customers read the documentation? If that's the way it is, the user should at least be told that on the checkout screen.

beejiu11y ago

1 more reply

onewaystreet11y ago

1 more reply

david_bOP11y ago

I wouldn't be astonished to see chargebacks (by buyers who think they were overcharged) resulting from this - that can hardly be in anyones interest.

seabee11y ago

If a bug causes behaviour that everybody expects, is it still a bug?

EGreg11y ago

Who is everybody? I never knew a website could charge via paypal $200 more than what I authorized. I thought PayPal was different than credit cards!

1 more reply

bencoder11y ago

I asked paypal and they confirmed that there's no limit.

It is a little weird, but since paypal always sides with customers in disputes, it's probably not so bad if you get hit with this.

mathias11y ago

splitbrain11y ago

beejiu11y ago

habosa11y ago

Seems like the sort of trust system that is common in restaurants.

1) You get the check with a total of food and drink.

2) The waiter/waitress takes your card to the register for authorization.

3) You get your card back.

4) You hand-write the tip amount and total, then walk away. You trust the merchant to charge the amount you wrote.

5) The restaurant charges the amount you wrote, but you don't know this for sure until you check your statement.

kuschku11y ago

Here in Germany it works like this:

alistairSH11y ago

efuquen11y ago

Yes, this is how it works in many places in Europe. I really wish I saw this in the US, such a shame.

true_religion11y ago

Not really common in European restuarants. They bring you a card machine, you swipe and add the tip right there on the machine.

arrel11y ago

It's not a bug, it's the way things should work with more services. PayPal's product may be outdated in many ways, but this is not one of them.

jdong11y ago

This is hardly an issue with a system that by design allows payment reversals. If you get defrauded, just chargeback.

arjie11y ago

LeicaLatte11y ago

They don't have David Marcus anymore to respond in these forums. Poor PayPal.

anujnayar11y ago

LeicaLatte11y ago

👍

j / k navigate · click thread line to collapse