Paypal payment security concern

If you think that something doesn't work in Aware IM post your message here
Post Reply
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Paypal payment security concern

Post by hpl123 »

Hi support / all,
I intended to use Paypal payments for a project in Aware and when fiddling with difficulties with the return URL, I discovered a security issue which renders the current Paypal solution in Aware useless for me and sharing it here to hopefully get support to change it and make it secure and also to inform others that may be using it. The problem is, with the current setup in Aware it is not possible to change the return url in any way so the current Aware/Paypal integration use a default one that basically is: http://www.mydomain.com:8080/app/req.aw ... CCESS=true for successful payments OR http://www.mydomain.com:8080/app/req.aw ... CESS=false for errors or cancellations in payment. The problem is, anyone can manually type in the success return url BEFORE the payment has been made, fooling Aware (and the app owner etc.) into thinking the payment was successful.

Here are the steps to reproduce:
1. Open up Library sample application and make sure it´s initialized and a Paypal account email is set
2. Start the MakePayment process and add 1 dollar or so in the form
3. Start the make payment procedure (the payment is not made automatically) after which you are directed to the Paypal website where you are intended to log in
4. Don´t login but instead paste the return url in the adress bar e.g http://www.mydomain.com:8080/app/req.aw ... CCESS=true
5. The paypal browser window/tab is closed and you are directed back to Aware where you will get the successful payment notification

Ideally we need the option to set custom return success and failure URLs and we could then add some things to the url like invoice ID or whatever other parameter indicating in part the state of the payment and also hide or make difficult to forge the status update.
Henrik (V8 Developer Ed. - Windows)
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: Paypal payment security concern

Post by aware_support »

Aware IM does provide a number of custom fields in the URL, which you are omitting in your bug report. So we are not exactly sure how to reproduce the problem, since you are providing partial URL's only.
Aware IM Support Team
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Paypal payment security concern

Post by hpl123 »

From the testing I did, it was not possible to use custom fields in the Aware/Paypal solution. Does this work, if so how?
Henrik (V8 Developer Ed. - Windows)
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: Paypal payment security concern

Post by aware_support »

I am not talking about user defined custom fields, I am talking about some special id's that get sent through the URL. You are not providing full URL's in your report so it's not clear how to reproduce the problem.
Aware IM Support Team
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Paypal payment security concern

Post by hpl123 »

Not really sure what you mean. If you follow the steps outlined in my report you will experience this bug.
Henrik (V8 Developer Ed. - Windows)
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: Paypal payment security concern

Post by aware_support »

This is the URL you are referring to in your bug report:
http://www.mydomain.com:8080/app/req.aw ... CCESS=true

This is not a complete URL - note ellipsis in the middle. The real URL has some custom parameters there.
Aware IM Support Team
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: Paypal payment security concern

Post by Jaymer »

Henrik,
post the URL inside a

Code: Select all

 block
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Paypal payment security concern

Post by hpl123 »

Well, if you hover over the url, rightclick and copy or right click and open url you will see the whole url. The whole url is typed in the forum text, the forum software condense the VIEWING part but the whole url is still there.

Is this better?:

Code: Select all

http://www.mydomain.com:8080/app/req.awurl?BAS_SUCCESS=true
Henrik (V8 Developer Ed. - Windows)
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: Paypal payment security concern

Post by aware_support »

This should be fixed in build 2922
Aware IM Support Team
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Paypal payment security concern

Post by hpl123 »

Awesome, thanks :)
Henrik (V8 Developer Ed. - Windows)
Post Reply