Bug : Able to alter price at checkout

[Cassim]

We just had a bugbounty hunter, poking us, he found that you can change the price at the checkout of an product, and doing so you are able to checkout with a less price.

Any idea how this can be done and a way to avoid / fix this ?

[Obi]

Following...

[toplakd]

So your so called "bugbounty hunter" has provided some proof/evidence with pictures and has placed the modified order to make his statement legit 🙂

[the.rampage.rado]

Does editing the source code at the checkout page and sending a screenshot to the merchant count? 😄 😄 😄

[toplakd]

13 hours ago, the.rampage.rado said:

Does editing the source code at the checkout page and sending a screenshot to the merchant count? 😄 😄 😄

Yessss, if merchant is naive enough. We can fix that problem for you for only 49,99 and we don't even need access to the site.

You can now click ctrl+f5 and your store will reload with all the bugs fixed.

Edited October 14, 2022 by toplakd

[Cassim]

What he did, was he did intercept the call to the gateways, changed the values and where able to create a order with 0 or 0,01 ordervalue an not 100. 

From my point of view, you can call it hack, you can call it what you want, but somehow i think the TB no matter will return with "payment error" As the value will not match the one in the store. Not sure.

 

In other terms, can this be fixed or hidden away.? 

[wakabayashi]

Haven't worked too much with payment modules. But this is surely about the module and not a core thing. Which one is used?

[the.rampage.rado]

2 hours ago, Cassim said:

What he did, was he did intercept the call to the gateways, changed the values and where able to create a order with 0 or 0,01 ordervalue an not 100. 

From my point of view, you can call it hack, you can call it what you want, but somehow i think the TB no matter will return with "payment error" As the value will not match the one in the store. Not sure.

 

In other terms, can this be fixed or hidden away.? 

In the end did you receive such fraud payment or they simply said 'i can do this!'?

[datakick]

I'm not sure there is a bug at all here.

First of all -- this is specific to some payment gateway / module. Most of the modern payment solutions do not send payment information in query / post parameters when redirected to payment gateway. Instead, payment intent is registered using back to back call (your server informs payment provider about the amount, items, etc), and redirect only contains unique ID of this payment intent. There is nothing that attacker can intercept and/or modify. If your module/payment provider send amounts in redirect request, you should consider switching payment provider.

Other thing is -- thirtybees supports partial payment. You should always check order in back office to see if it is paid full or not. Note that payment status is not trustworthy indicator of this. Order can be, for example, in 'Payment accepted' status, yet still be partially paid. 

If attacker intercepted and modified redirect to payment processor, then the payment will not match the order total. This should be marked on your order in Payment section:

If the payment is not registered correctly (order is marked as fully paid even though different amount was actually paid), then this is bug in the payment module. Payment gateway redirects user back to your website, and payment module is responsible to extract the information provided by gateway. Again, it will be either some ID and module will do direct server to server call to receive information about transaction, or the information should be (somehow signed) in redirect request itself. It's module's responsibility to resolve (and verify) the amount actually paid. 

[Cassim]

@datakick Thanks for the return. And yes it more a gateway issue than a TB issue agreed. The gateways here "QuickPay by Kjeld" & "PayPal - By presta_world"
 

@the.rampage.radohe did go to the payment page and where about to place the order yes. So he can do it and did almost do it 100% (think he did not do it as that will be fraud - making it hard to earn form it)