PayPal Standard Hack Causes Wrong Order Total in OpenCart 1.5.x

Posted by Paul on July 3, 2015

If you're using OpenCart 1.5.x and PayPal Standard as your gateway, you shop is potentially vulnerable to an attack that will allow customers to pay what they want for your products. Now I know Radiohead popularized this concept with their "In Rainbows" album, but I suspect the model doesn't work so well for companies that are selling tangible products.

About the Hack
Once a customer has added the products to their cart and got to the end of the checkout, they will be on a page that has hidden form fields. If they edit the HTML code in their browser (easily possible by pressing F12 in most modern browsers) they can change the total amount that will be send to PayPal. They then press continue, get sent to PayPal, pay 1 pence or whatever they decide they should pay, and are returned to the store. PayPal will report that the order was successful and unfortunately OpenCart won't check that the correct amount was paid.

The store owner will see the order appear in their admin but unless they also check PayPal and compare the totals for every order they won't have any way of knowing that an incorrect amount was paid. If you ship a high volume of products it may be impractical to check. If you sell digital downloads, the customer will be able to download the product before you realize what's happened. Again, this will only affect 1.5.x and below. The issue is fixed in OpenCart 2.

How you can Protect Yourself
Luckily there is a quick fix in the form of this Antropy extension:

Once installed, OpenCart will check the amount paid to PayPal with the order total and will give any order where they don't match a status of "Failed" so that the store owner doesn't unwittingly ship the product.

Have you had this issue? Did our extension fix it? Let us know in the comments!

[Update 25/11/2015]
Daniel Kerr, the Lead Developer and Project Owner of OpenCart has let us know that the issue can also be avoided if you set your default Order Status in PayPal to "Pending" and then in PayPal, set it to set the order status to "Completed" or "Paid".


After this, you should only ship orders with a "Completed" status. If they remain "Pending" then you should check manually in PayPal that the totals add up. You will also see a message in System > Error Logs. You can of course still use our extension which will set the status of mismatched orders to "Failed".

blog comments powered by Disqus