CS-Cart v3.0.4 has PayPal ‘buy without paying’ glitch

A bug in shopping cart software lets fraudsters buy goods without paying for them.
  • Liam Tung (CSO Online)
  • — 25 February, 2013 10:22

E-commerce merchants using shopping cart software CS-Cart version 3.0.4 and earlier are vulnerable to a flaw that allows fraudsters to buy goods without paying for them.

The flaw lies in the configuration of PayPal payments Standard edition in CS-Cart, which allows an attacker to change a merchant’s PayPal email address during a purchase.

CS-Cart released version 3.0.6 on February 14, but only hinted at a potential problem by stating that “PayPal processing security has been improved”.

It has not yet released a change log for the release, however Carnegie Mellon CERT drew attention to the potential fraud impact on Friday.

“CS-Cart v3.0.4 and possibly other versions configured with PayPal Standard Payment is susceptible to a client-side attack that results in an attacker purchasing items without having to pay for them,” Carnegie Mellon CERT warned.

A fraudster would need to make a payment to purchase a good, but the configuration allows them to redirect it to their own PayPal email account. The software also does not verify the address is the authorised merchant address.

“The parameter for the merchant's PayPal email address is controlled on the client-side and not verified by the server. This allows an attacker to change the PayPal email address to one the attacker controls allowing the attacker to purchase items on a website but effectively pay themselves instead of the merchant,” Carnegie Mellon CERT explained.

Detecting fraud that exploits this flaw on a busy e-commerce could be time-consuming and tricky. Merchants would need to manually cross-check website orders with PayPal transactions to spot it, according to the CERT.

Patches for older versions of CS-Cart in the 3.0.x and 2.2.x branches have also be released.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: glitch, e-commerce, flaw, paypal, fraud, CS-Cart version 3.0.4

VMware promises Heartbleed patches for affected products by the weekend

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

AVG Internet Security 2011 Business Edition

Ultimate protection for your small or medium-sized business

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.