One of our sites keeps receiving emails like the below making claims there is exploits in the OC code. I'm sure this is likely just a scam email so firstly wanted to post it to warn others but also to get community feedback.
>>>>>>>>>>>>>>>>>>>>>>>>>
Subject: Urgent issue with domain-removed.com website
Hello,
My name is Tom and I am an IT Developer based in Poole, Dorset.
I have discovered a serious exploit on the domain-removed.com website which allows users to set their own prices for your items. For example, a fraudster could place a £100 order and only pay £10 for it. More importantly, you wouldn’t even notice that this had happened as your OpenCart admin panel will show that the order has been paid in full, however, if you check your PayPal account afterwards you will see that they did not pay the full amount.
I would be happy to demonstrate this exploit for you free of charge. I can place an order on your website, and you can check it on your end. You will see the order in OpenCart appears to be fully paid, but when you check your PayPal account you will see I only paid a few pence.
Fraudsters will usually pay more than just a few pence to stop their scam being detected. A fraudster may place an order for £100, and only pay £14. This means that when you are scrolling through your PayPal account, you don't notice anything unusual.
This issue is becoming more and more common and simply updating OpenCart will not resolve the issue.
If you would like us to repair this issue for you then we can do so for a fixed fee of £95+VAT.
Please let me know if you would like to schedule in a repair or if you would like me to demonstrate this issue to you free of charge.
Many thanks,
Tom Turner / IT Consultant
tom[at]opencartexpert.xyz
Serallo Ltd trading as OpenCart Expert / https://www.serallo[dot]co[dot]uk
34 St Martins Road, Wareham, Dorset, BH20 7BA
Registered Company No. 10319309
It sounds like this is the issue he found, fix included at this link:
https://www.antropy.co.uk/blog/paypal-s ... art-1-5-x/
https://www.antropy.co.uk/blog/paypal-s ... art-1-5-x/
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Thanks for the share, I can confirm this is a 2.2 install and the email is not an out right scam as this Tom guy just placed an order on the site, paid 2p for the order on paypal when the order was worth over £200. Obviously the order status come in as processing so needed to be manually checked vs a successful order normally gets the correct complete status.
OpenCart has identified that there was a mismatch and didn't give the order the "Complete" status but reading that shared article this should even be possible from 2.x onwards?
OpenCart has identified that there was a mismatch and didn't give the order the "Complete" status but reading that shared article this should even be possible from 2.x onwards?
Some more information, I can confirm that this is still an issue in 2.2. I know the order status can be set to something other than "Complete" when the totals don't match but according to that shared article Dan Kerr did mention that it should not even be possible to mess with these figures anymore.
Using the default paypal standard module I can confirm price manipulation is still possible in 2.2.
Process through checkout with £200 of items in basket then at the very last step before clicking confirm order just use any simple inspector tool to change the value which is about to be passed to paypal to say 2 pence. Continue to paypal it will ask for 2 pence, pay for the order and all goes through fine. Only the order status highlights there was an issue and "processing isn't a very clear status so we have adjusted our statuses to be more of a warning message.
Surely this should no longer be an issue in the first place or is this one of those plagued issues of using redirect payment providers because there is that moment between the redirects where data can be tampered with.
If there is any fix for this for version 2.2 i would love to know or is it just something we have to live with and ensure order status is made crystal clear that there might be an issue with this order.
Using the default paypal standard module I can confirm price manipulation is still possible in 2.2.
Process through checkout with £200 of items in basket then at the very last step before clicking confirm order just use any simple inspector tool to change the value which is about to be passed to paypal to say 2 pence. Continue to paypal it will ask for 2 pence, pay for the order and all goes through fine. Only the order status highlights there was an issue and "processing isn't a very clear status so we have adjusted our statuses to be more of a warning message.
Surely this should no longer be an issue in the first place or is this one of those plagued issues of using redirect payment providers because there is that moment between the redirects where data can be tampered with.
If there is any fix for this for version 2.2 i would love to know or is it just something we have to live with and ensure order status is made crystal clear that there might be an issue with this order.
Just received the exact same email.
Can anyone confirm if this is a real issue on OC2.0.3.1? And if so, is there a fix?
Thanks
Can anyone confirm if this is a real issue on OC2.0.3.1? And if so, is there a fix?
Thanks
More info on the subject that very Same client who got the first email in the first post just received this from PayPal. Keep in mind neither me or the website owner even contacted PayPal to alert them of the scam email so is this a bigger issue? Paypal already appear to be sending customer emails instructing them to contact them if they receive such an email as in my original post.
All names etc removed for privacy.
>>>>>>>>>>>>>>>>>>>>>
Dear X,
My name is X from PayPal Business Support.
I have reason to believe you have been contacted by someone advising they can change the value of your items at the time of checkout.
Please disregard an offer of the services they provide to secure your website and upgrade from Website Payments Standard to Express Checkout.
I would suggest contacting me by telephone on xxxxxxxxxx to discuss this further and to answer any questions you may have.
It's been my pleasure to help you. If you have any further enquiries, please email xxxxxxxxx or call us on xxxxxxxxx, from 9am to 5.30pm GMT Monday to Friday.
Yours sincerely,
X
Business Support Department
PayPal
All names etc removed for privacy.
>>>>>>>>>>>>>>>>>>>>>
Dear X,
My name is X from PayPal Business Support.
I have reason to believe you have been contacted by someone advising they can change the value of your items at the time of checkout.
Please disregard an offer of the services they provide to secure your website and upgrade from Website Payments Standard to Express Checkout.
I would suggest contacting me by telephone on xxxxxxxxxx to discuss this further and to answer any questions you may have.
It's been my pleasure to help you. If you have any further enquiries, please email xxxxxxxxx or call us on xxxxxxxxx, from 9am to 5.30pm GMT Monday to Friday.
Yours sincerely,
X
Business Support Department
PayPal
Just wondering if any official comment from any mods or devs of opencart can add anything to this. The fact that paypal are contacting customers to warn them of this scam email before it even being reported tells me this is not an isolated issue.
Who is online
Users browsing this forum: No registered users and 9 guests
