cancel
Showing results for 
Search instead for 
Did you mean: 

PayPal Payflow extension exploited for fraudulent transactions

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

I just opened an issue on GitHub -- to my surprise I couldn't find one concerning this matter.

https://github.com/magento/magento2/issues/21870

 

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

I am being told this issue is fixed on the GitHub repositories. I will test and follow up.

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

The latest Paypal module code from the 2.2-develop branch did NOT work! I still got hit with $0 auths!

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

Thanks for that info. I will test it shortly.

 

For those with this issue, I have gone through my access logs and identified 35 IP addresses coming from Amazon Web Services that seem to be behind this exploit. These IPs had roughly 60-70 user sessions open at all times and were entering directly into a cart checkout page. I have blocked these IPs at server level and the user hasn't popped back up in the last couple hours. (correction, I just checked and the hacker is back on new IPs)

 

34.226.217.189
52.90.105.63
3.86.194.220
54.162.199.5
34.203.31.73
54.242.248.51
3.91.22.229
3.83.122.116
3.86.17.235
3.87.125.27
3.84.1.204
3.86.195.29
18.207.168.178
3.91.105.65
107.22.64.199
54.167.218.195
34.203.189.201
34.235.160.85
18.206.243.7
54.92.169.31
3.81.72.223
54.162.221.69
54.146.245.126
54.158.13.28
54.81.159.253
54.91.208.246
3.80.245.34
3.87.158.162
54.208.28.191
34.228.218.112
54.196.24.167
54.175.76.197
54.204.151.47
54.197.78.24
54.221.70.114

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

@AndyAJ , do you know if I'm able to just copy the PayFlow files to fix this? (granted the fix works)

 

Do you know what files I can copy?

 

I have 3 sites, each running 30 extensions and custom theme, so doing a full upgrade to each of them would take a while and we are currently dead in the water on all our sites and unable to take orders.

 

Thanks in advance for any insight.

Larry

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

Hi Larry,

 

Copying the code from either the 2.2-develop or 2.3-develop branches did not work for me. Another user said the following helped them, which you are welcome to try (but it did not work for me.)

 

change the conditional on vendor/magento/module-paypal/Controller/Transparent/RequestSecureToken line 85 from

if (!$quote or !$quote instanceof Quote) {

To

if (!$quote or !$quote instanceof Quote or !$quote->getId()) {
Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

For anybody dealing with this issue, I created a gist giving an example fail2ban configuration that blocks any IP address that attempts to exploit this vulnerability by requesting the endpoint more than 10 times in 10 minutes.

 

https://gist.github.com/digitalengineering/896934dd526302a68c198e1b0333219b

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

Does anyone know if disabling guest checkout prevents this?

Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions

No it doesn't.

I believe magento has released a patch to prevent this though now.
Highlighted

Re: PayPal Payflow extension exploited for fraudulent transactions