Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

MONEYBOOKERS HACK: Be careful!


chooch

Recommended Posts

Just like with the PayPal IPN (and PayPal Express but not PayPal WPP) and numerous other payment contributions, the Moneybookers module is open to abuse. The hack will affect store owners by having to use their time to filter through and find order statuses for hacked orders and genuine ones but if you sell virtual products like audio/visual downloads then you are losing money as people are obtaining them for free.

 

Here's the Moneybookers hack:

 

1) Open and account on any oscommerce store

2) Add any items to cart and hit the checkout button

3) When you get to checkout_payment.php select Moneybookers

4) Then when the Moneybookers payment details appear simply checnge the end of the URL in your browser from 'checkout_payment.php' to 'checkout_process.php) and press enter/return.

5) Checkout_success.php appears and order has been completed

 

From what I can tell it needs to be plugged in checkout_payment before and after Moneybookers is selected otherwise those with digital downloads are open to fraud. The same hack affects nearly all of the payment modules for oscommerce.

 

For what it's worth, PayPal WPP if selected from a lsit of options by customers or if used by store owners as the default single payment option blocks this hack from working, the only time I could tell PayPal WPP was open to the hack was when Express Checkout was installed and operated alongside WPP.

 

Be careful people.

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

Hi,

 

This is a common problem with the OS commerce script. All shop owners should check to see if a payment has actually been made before they ship any products. Alot of payment processors have not implemented ways to check for a sucessful transaction - (ex. returning a hashed value) - the check out functions usually default return (ie. no checks made) so unfortunatly there is not a way to stop the checkout_process.php bug.

 

It should be noted this is a OSc bug aswell and such functions should take place in a protected class. not in a public php doc.

 

Gray Appleton

PHP5, Javascript, MySQL and now Flash????????....... Ohhhhhh..... I think I have a head ache.....

Link to comment
Share on other sites

Hi,

 

This is a common problem with the OS commerce script. All shop owners should check to see if a payment has actually been made before they ship any products. Alot of payment processors have not implemented ways to check for a sucessful transaction - (ex. returning a hashed value) - the check out functions usually default return (ie. no checks made) so unfortunatly there is not a way to stop the checkout_process.php bug.

 

It should be noted this is a OSc bug aswell and such functions should take place in a protected class. not in a public php doc.

 

Gray Appleton

I tried this hack on my site and it didn't seem to work. I went to the checkout page and changed the URL (without entering any CC information) and it just sent me back to the page where I had to enter the CC information. I'm using authorize.net AIM.

Link to comment
Share on other sites

I tried this hack on my site and it didn't seem to work. I went to the checkout page and changed the URL (without entering any CC information) and it just sent me back to the page where I had to enter the CC information. I'm using authorize.net AIM.

 

The hack does not work on HSBC, PayPal WPP, Authorizenet AIM but I think it does work on AuthorizeNet basic and it does not work on some other payment modules but the hack does work on PayPal standard, PayPal IPN, PayPal WPP id Express Checkout is activated, Moneybookers and many others. The hack can only be confirmed by process of elimination.

 

I only highlighted the issue here because apparantly Moneybookers is becoming popular with lots of stores and I used the contribution to test. Anyone with downloadable products or digital/software/music/video files etc are the ones who will be at risk until they decide which payment module they want and test to see if the hack works before working out a way to plug it.

Edited by chooch

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

Alot of payment processors have not implemented ways to check for a sucessful transaction

 

I said alot, not all...

 

The hack can only be confirmed by process of elimination.

 

chooch is pretty much correct here... If your not a programmer familiar with php(object) then there is no other way other than trial and error.

so, play it on the safe side and:

check to see if a payment has actually been made before they ship any products.

 

alot of payment processors do not have the funds or the man power to develope modules for all the open source web shops out there.

 

Gray

PHP5, Javascript, MySQL and now Flash????????....... Ohhhhhh..... I think I have a head ache.....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...