2009-04-15 paypal
by Vasil KolevThis is a bug that the company of a friend (who prefers to remain anonymous because of some reasons) in the PayPal payments interface, specifically the ExpressCheckout part.
The case is that in one payment they took $1000 from an user instead of $10. It wasn’t clear why did that happen, so they looked and looked at the code, wondered, and in the end found it…
The interface works in the following way – the merchant site does a POST to PayPal, then redirects the user to them to authorize him/herself, and when the user gets redirected back, the merchant site does one more request, to finish the payment. Not bad, but has the following two issues:
1) The user never sees HOW MUCH money is he giving, and
2) In both requests from the merchant site there’s an amount passed. The second one is taken into account.
So this way the user will never find out how much money will be taken from him, until they’re really taken and he logs into his account. At least according to me, this is horribly stupid (the guys found their mistake, in the second request they were passing cents instead of dollars). I don’t think I’ll be making an account there :)
(p.s. there are some people who know which company is this – can you keep quiet, it took some time to persuade the guy to allow me to publish this :) )