http://www.wired.com/news/business/0,1367,51977,00.html

Steve

Wow, that is a big one!

Want to see a example of this?

In the article it said:

"Think $650 is too much to pay for a guitar personally signed by Grammy-winning, 80s-rocker Rick Springfield? Tweak the HTML in the PayPal form at his site, RicksMerch.com, and you can order the guitar for just $1 instead. "

Now go here:
http://ricksmerch.com/guitars.htm

See that $500 black guitar? How about getting it for $5?

Look at the attached file. Create a html file on your local computer, open it and click Order, wha la, you can get that $500 guitar for $5.

DO NOT order this, this is for example only that yes it can be done.

I am in no way suggesting to order anything this way, just wanted people to be aware that this is very tre and possible, esp if you have anything automated.

Mods, you can delete this if you want

Originally posted by ljprevo
Look at the attached file. Create a html file on your local computer, open it and click Order, wha la, you can get that $500 guitar for $5.

Not gunna work. Don't you ever think that they review their orders? Let's say they log-into their paypal account see an order for the guitar, but they only recieved $5, do you think they'd still send the gutair?

Didn't think so...

Originally posted by 311


Not gunna work. Don't you ever think that they review their orders? Let's say they log-into their paypal account see an order for the guitar, but they only recieved $5, do you think they'd still send the gutair?

Didn't think so...

exactly :rolleyes:

Probably doesn't work for tangible goods, but for intellectual property it probably works quite nicely. You know, pay now with PayPal then download your software program or e-book instantly?

Steve

Originally posted by scslawin
Probably doesn't work for tangible goods, but for intellectual property it probably works quite nicely. You know, pay now with PayPal then download your software program or e-book instantly?

Steve

yeah I got you there, but they used a bad example on the site you posted...:)

I knew it will probably not work for tangible goods. That is why I posted that example.

I actually did this to Dim8.net a while back, I let him in on what I was doing, he wanted to know the vulnerbility.

He had the auto setup script I was able to by pass the paypal signup and go right to his autosetup and set up a dummy site.

hey

if you have $50 in ur paypal acct
that is in USD correct?


so you could live in canada
and be sent $50
once u withdraw

its converted to canadian

anyone know?

no I think it's all in american $$$

but who knows, I've never even used paypal in my life, so I may be wrong...:(

Bogus - It is not a vulnarability with paypal, it has to do with the site where the order came from. Besides, one should check for sales receipts and paypal logs before delivering the merchandise - no?

If you can't drive a car properly, please don't blame the manufacturer. If one wants to manipulate and submit altered orders via html forms, they can do it with anything else, any other site. What's paypal got to do with it? Nothing!

well, I don't know if they've already cautioned their users or maybe found a solution for this problem... but i think paypal should've warned the users of such problem.

for such a huge presence on the web that handles millions if not billions of dollars daily, they should have predicted this sort of scam/scandals and prevented it somehow.

All payments via PayPal are currently done in $USD. The converstion to your currency takes place when the withdrawal takes place.

Users should take care to review their orders, regardless of the payment mechanise utilized. However, I do believe that our IPN product is less susceptible to this, but it does require greater technical knowledge by the party utilizing it.