I've implemented express checkout on a few carts I've written. It isn't possible to calculate the shipping cost/method until the user gives at at minimum their zip code and country. So basically the flow of Express Checkout doesn't allow this since that information is sent back once they authorize a charge and return to your site. At that point the customer is prompted with an order confirmation, final total and to select their shipping information. When they click confirm the charge is actually made. Express Checkout is extremely popular on all of the sites I've worked with and is probably quickest payment method people can use. In the 6+ years we've been using it we have not had one single complaint about charging the wrong amount shown on the PayPal confirmation page. Customers understand they must select their shipping method and I would rather not have them enter duplicate information.
I am confused how this "bug" is any different that using something like the payments pro API. Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.
I wouldn't mind entering my ZIP to precalculate the shipping costs. But seriously, Shipping costs are a lame excuse. There is nothing that stops paypal to call back to the shop to get the shipping costs. Or just make a CORS request from the browser itself and have the shop sign the shipping costs so paypal knows.
> Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.
Which is exactly why I only use shops with paypal where I see the amount charged on paypal.com if I don't completely trust the shop. I was under the impression that this was the value paypal provides. Apparently I was wrong. Might as well get a prepaid credit card now.
Of course it is a bug. Proper behavior would be to confirm the amount plus shipping, or at very least, limit the change to an amount no greater than $20 more than what was confirmed.
Hi - It's anuj Nayar from PayPal. I can confirm that through our Bug Bounty Program a researcher reported this suspected vulnerability with our PayPal Express Checkout.
After looking into the issue, we don't think this is in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers. We offer robust buyer and seller protection to cover both ends of the transaction and our systems are pretty good at finding and flagging this kind of illegal behavior if a merchant were to start overcharging your customers.
This is how it has always been; it's written in the documentation. I don't personally consider this a bug, since a retailer could feasibly accept a credit card and charge whatever they want to it. The fact the PayPal allows the amount to be changed is not dangerous, because PayPal holds the liability and any charges can be reversed. Furthermore, the business who charges consumers without consent will be committing fraud.
It's a flaw though. A user trusts that the amount that they see in PayPal ($19.95) is what they will be charged when they click accept - not $21.95 or $25.95 or $2,000.
It's different if you are having your customers type in their details, even though they hope you will charge them $19.95, and not double charge them or steal their credit card information - this is a reason why people use PayPal.
But yeah, like you said it is fraud, though a business could argue shipping charges or tax or "addon pricing" or whatever for a small amount (a company I would see doing this is GoDaddy), but larger amounts their PayPal account would probably be banned.
Good luck with that. It's very hard to get your money back when the merchant knows how to answer Paypal's questions. I failed at doing so when a merchant sold me something he could not deliver and then insisted on giving me a voucher instead returning my money.
While I can see how this behaviour of PayPal is close to credit cards, I cannot see how they can show an amount that may be incorrect - they could just ask the shop whether the amount is final or not and indicate that in some way.
I wouldn't be astonished to see chargebacks (by buyers who think they were overcharged) resulting from this - that can hardly be in anyones interest.
I recently integrated paypal. I did a test to see how much extra we could charge if the customer chose an obscure shipping address and there didn't appear to be any limits like I was expecting(I was expecting a percentage +- of the "confirmed" amount).
I asked paypal and they confirmed that there's no limit.
It is a little weird, but since paypal always sides with customers in disputes, it's probably not so bad if you get hit with this.
I spotted this earlier this week when ordering a t-shirt through TeeSpring using PayPal. I authorized a payment of 22.95 USD. Here’s a screenshot from the payment confirmation email I received: http://i.imgur.com/BGjKcsW.png The math doesn’t quite add up.
This confuses the heck out of me every time I have to work with the Paypal API. I never understood why they implemented it this way. It makes absolutely no sense IMHO but has always been this way. I'm surprised that this isn't used much more often for fraud.
Some businesses store their delivery costs at PayPal (by country), rather than on their own servers. Hence, they have to go to PayPal to determine these costs. But then, that's just rather poor implementation on part of the retailer.
1) You get the check with a total
2) the waiter hands you a mobile card terminal (like this: http://pay-tec.de/cms/paytec/wp-content/uploads/2014/04/1.jp... )
3) You put your card in the terminal
4) waiter enters amount to pay + what you said you'd tip
5) You see the total, enter your PIN, press confirm
6) waiter hands you back your card.
This is the magic if market dynamics. If a business fraudulently takes advantage of this they will not build up a customer base, paypal will shut down their account, and money will be refunded. PayPal is taking most of the risk so that businesses can be flexible and provide a better experience.
It's not a bug, it's the way things should work with more services. PayPal's product may be outdated in many ways, but this is not one of them.
Now I have to pay, then verify each payment manually. This is the job I thought PayPal was doing for me. Instead they've created more work since now I have to check two places to make sure charges are correct: my credit card statement and PayPal.
Hi - its Anuj Nayar, senior director of global initiatives at PayPal. I have been reading this string with interest. We offer both buyer and seller protection to try and make sure we cover everyone. We do not always side with the buyer. On the restaurant payment side, we have been rolling out mobile payments solutions at places around the world, that let you check out and pay from your phone (inc tip). You are notified via text and email as soon as it goes through.
[+] [-] benmorris|11 years ago|reply
I am confused how this "bug" is any different that using something like the payments pro API. Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.
[+] [-] lawl|11 years ago|reply
> Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.
Which is exactly why I only use shops with paypal where I see the amount charged on paypal.com if I don't completely trust the shop. I was under the impression that this was the value paypal provides. Apparently I was wrong. Might as well get a prepaid credit card now.
[+] [-] marze|11 years ago|reply
[+] [-] anujnayar|11 years ago|reply
After looking into the issue, we don't think this is in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers. We offer robust buyer and seller protection to cover both ends of the transaction and our systems are pretty good at finding and flagging this kind of illegal behavior if a merchant were to start overcharging your customers.
[+] [-] beejiu|11 years ago|reply
[+] [-] thejosh|11 years ago|reply
It's different if you are having your customers type in their details, even though they hope you will charge them $19.95, and not double charge them or steal their credit card information - this is a reason why people use PayPal.
But yeah, like you said it is fraud, though a business could argue shipping charges or tax or "addon pricing" or whatever for a small amount (a company I would see doing this is GoDaddy), but larger amounts their PayPal account would probably be banned.
[+] [-] Hermel|11 years ago|reply
Good luck with that. It's very hard to get your money back when the merchant knows how to answer Paypal's questions. I failed at doing so when a merchant sold me something he could not deliver and then insisted on giving me a voucher instead returning my money.
[+] [-] jackweirdy|11 years ago|reply
[+] [-] david_b|11 years ago|reply
I wouldn't be astonished to see chargebacks (by buyers who think they were overcharged) resulting from this - that can hardly be in anyones interest.
[+] [-] seabee|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] bencoder|11 years ago|reply
I asked paypal and they confirmed that there's no limit.
It is a little weird, but since paypal always sides with customers in disputes, it's probably not so bad if you get hit with this.
[+] [-] mathias|11 years ago|reply
[+] [-] splitbrain|11 years ago|reply
[+] [-] beejiu|11 years ago|reply
[+] [-] habosa|11 years ago|reply
1) You get the check with a total of food and drink.
2) The waiter/waitress takes your card to the register for authorization.
3) You get your card back.
4) You hand-write the tip amount and total, then walk away. You trust the merchant to charge the amount you wrote.
5) The restaurant charges the amount you wrote, but you don't know this for sure until you check your statement.
[+] [-] kuschku|11 years ago|reply
1) You get the check with a total 2) the waiter hands you a mobile card terminal (like this: http://pay-tec.de/cms/paytec/wp-content/uploads/2014/04/1.jp... ) 3) You put your card in the terminal 4) waiter enters amount to pay + what you said you'd tip 5) You see the total, enter your PIN, press confirm 6) waiter hands you back your card.
[+] [-] true_religion|11 years ago|reply
[+] [-] arrel|11 years ago|reply
It's not a bug, it's the way things should work with more services. PayPal's product may be outdated in many ways, but this is not one of them.
[+] [-] jdong|11 years ago|reply
[+] [-] arjie|11 years ago|reply
[+] [-] LeicaLatte|11 years ago|reply
[+] [-] anujnayar|11 years ago|reply
[+] [-] jdong|11 years ago|reply
[deleted]
[+] [-] HugoR|11 years ago|reply
[deleted]