- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
I just opened an issue on GitHub -- to my surprise I couldn't find one concerning this matter.
https://github.com/magento/magento2/issues/21870
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
I am being told this issue is fixed on the GitHub repositories. I will test and follow up.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
The latest Paypal module code from the 2.2-develop branch did NOT work! I still got hit with $0 auths!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
Thanks for that info. I will test it shortly.
For those with this issue, I have gone through my access logs and identified 35 IP addresses coming from Amazon Web Services that seem to be behind this exploit. These IPs had roughly 60-70 user sessions open at all times and were entering directly into a cart checkout page. I have blocked these IPs at server level and the user hasn't popped back up in the last couple hours. (correction, I just checked and the hacker is back on new IPs)
34.226.217.189
52.90.105.63
3.86.194.220
54.162.199.5
34.203.31.73
54.242.248.51
3.91.22.229
3.83.122.116
3.86.17.235
3.87.125.27
3.84.1.204
3.86.195.29
18.207.168.178
3.91.105.65
107.22.64.199
54.167.218.195
34.203.189.201
34.235.160.85
18.206.243.7
54.92.169.31
3.81.72.223
54.162.221.69
54.146.245.126
54.158.13.28
54.81.159.253
54.91.208.246
3.80.245.34
3.87.158.162
54.208.28.191
34.228.218.112
54.196.24.167
54.175.76.197
54.204.151.47
54.197.78.24
54.221.70.114
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
@AndyAJ , do you know if I'm able to just copy the PayFlow files to fix this? (granted the fix works)
Do you know what files I can copy?
I have 3 sites, each running 30 extensions and custom theme, so doing a full upgrade to each of them would take a while and we are currently dead in the water on all our sites and unable to take orders.
Thanks in advance for any insight.
Larry
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
Hi Larry,
Copying the code from either the 2.2-develop or 2.3-develop branches did not work for me. Another user said the following helped them, which you are welcome to try (but it did not work for me.)
change the conditional on vendor/magento/module-paypal/Controller/Transparent/RequestSecureToken line 85 from
if (!$quote or !$quote instanceof Quote) {
To
if (!$quote or !$quote instanceof Quote or !$quote->getId()) {
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
For anybody dealing with this issue, I created a gist giving an example fail2ban configuration that blocks any IP address that attempts to exploit this vulnerability by requesting the endpoint more than 10 times in 10 minutes.
https://gist.github.com/digitalengineering/896934dd526302a68c198e1b0333219b
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
Does anyone know if disabling guest checkout prevents this?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
I believe magento has released a patch to prevent this though now.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: PayPal Payflow extension exploited for fraudulent transactions
https://support.magento.com/hc/en-us/articles/360025515991
Please update your magentos