I wanted to submit a problem we had today with the built-in Magento 2.2.5 PayFlow Pro extension.
This is an extension we disabled a year ago and were not using due to issues with PayPal not fixing their zero dollar transaction authorizations and the slowness of orders processing. However today, despite this extension being disabled, a script began running that was exploiting this extension on our site to test fraudulent cards. They were occurring at a rate of 1 every second. 10000's of transaction authorizations occurred before PayPal alerted me.
We changed and then deleted the API credentials and also took other measures on our server but I wanted to alert the Magento community that this issue exists and other than disabling it there was no way to stop 10000's of test authorizations.
Our hosts said this "It does look like the URI used "/paypal/transparent/requestSecureToken/" is the Payflow pro place_order_url (app/code/Magento/Paypal/etc/config.xml) which confirms the requests were the culprit. It's difficult to know how these were still getting through even with Payflow disabled."
You are using a community edition ie. open source edition of Magento.
FYI: once you disable an third party extension. You also need to remove the extension code from the app/code directory. Magento do not remove code of any third party extension by disabling it through CLI. It means that your code is still exist there on the server. You need to remove it.
Please take care of this kind of fraudulent malware attacks in future.
If my answer is useful, please Accept as Solution & give Kudos
We got hit today. Payflow is who we primarily use so this is a huge disruption for us.
We got hit as well today. Brainstorming some potential solutions right now.
Let me know if somebody here has any ideas what would be a simple solution to the issue.
one of my clients has just reported the same issue.
Until we find a solution, PayPal has shut down my client's account.
Our host implemented some mod_security rules that prevented multiple connections to the server and also banned the country that was initiating the attack along with a few other tweaks to our server security. We have also stopped using PayFlow to process credit cards because this was ridiculous. Somebody needs to look at closing this serious exploit in this native extension.
Yeah, honestly this was the last straw for Payflow. We have been having intermittent issues since moving to M2. We're trying to get Braintree up and running as I've heard good things from that end.
We had the exact same issue. Added the following rule to apache vhost config to block that URL:
# block paypal payflow DOS exploit path
Require all denied
Edit: This will disable Payflow. If you need Payflow enabled, you'll need to set up a rate limiter on that endpoint using something like fail2ban.
Is there no patch to fix this issue? This is happening in 2.2.6 as well.
I blocked China to temporarily resolve the issue.
I have a client with the exact same issue. Their merchant provider does not have reliable M2 gateway integration, so they are using PayFlow. they have lost a significant amount of income, as they have been disabled by PayFlow for a week or two off and on due to this issue.
I visited Magentos patches page and dont see any notes about this. Is there no fix for this at this time?