Bug Security flaw

[mikez006]

A member was able to edit the payment amount to 0.01 for any amount of credits they wanted.

I used Hide tags because I didn't want to post the method publicly.

[HIDE]Payment was received ($0.01), but the credits were not added to his account. I'm not sure why.

I asked how he did it and he said you used the "Tamper Data" plugin for Firefox.
https://www.youtube.com/watch?v=EcTTNWVYOiA

It allows him to change the price to anything he wants, which is how he was able to make a $.01 payment even though the minim is set to $2.50.

Even though the credits weren't added to his account, I'm afraid with a little more work someone would be able to figure it out. He only tried once.

[/HIDE]
Can you please add a fix for this flaw so price can't be changed?

 

[Fillip H.]

No, this is not a security flaw. By your own words, the credits were not added to his account.

When PayPal returns the received payment amount, a series of validation checks are carried out, one of which is to compare the received amount with the expected amount. If the amount is off by as much as a single cent, the system assumes this payment is not related to vBCredits and ignores the payment.

Furthermore, it is entirely impossible for us to prevent someone from hitting F12 / Cmd-Opt-I to open developer tools and alter the HTML displayed.

 

[mikez006]

Okay good to know. I didn't know there were checks in place to compare payments to prevent these types of things. Thanks.