Bitcoin Forum

Source:  seclists.org/bugtraq/2014/Jul/85
Sp. thanks to:  blog.fefe.de/?ts=ad3707ae (german)

Apparently for paypal its not a bug to change the charged amount after(!) confirmation by the customer.

tl;dr from source:



If you are using Paypal allways check the mail. You can not rely on the information you see durring confirmation. Paypal does not even recognize this as bug.

Well that's just blatant fraud, I don't even think that counts as a bug.

The paypal API could check for different amounts and refuse the process in case of a mismatch. However since PP has no intent to change (fix) this, it might as well be aiding and abetting.

Considering that it wouldn't be too technically awkward to tie to the user-approval to the amount, I cannot fathom why they don't see it as important to fix this. Even if they don't consider it a vulnerability it would be simply good practice. I think this just need some more exposure.

If you read his original seclist submission, he mentions that PP say it's necessary to allow for variations in shipping post approval. Well, firstly I'd personally consider that an insecure design choice, any variation should require re-approval, but even if they were insistent they wanted to keep that flexibility they could at least cap the variation before re-approval is needed to a $ or %change amount. All these things are trivial to implement and help make it a more secure platform.

Then again, I have no love for PayPal. In fact, I despise it. Which I suppose makes me a hypocrite, as I still use it occasionally when there's no alternative payment processor I prefer listed.