PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WordPress.org. See: new forums @ WordPress.org

ClickBank Button URL tampering

s2Member Plugin. A Membership plugin for WordPress®.

ClickBank Button URL tampering

Unread postby pbradaric » September 20th, 2011, 4:09 pm

Hello.

Let's say I have multiple ClickBank products (1,2,3,4) with different prices. In order to grant access to different product "pages" I use custom capabilities (as explained in these videos http://www.s2member.com/custom-capabilities-video/). Now, I need to generate a ClickBank buttons for each of these products (all for level 1).
For the sake of simplicity, let's say I have four "custom capabilities" (cap1, cap2, cap3, cap4). For product 1, I also specify "cap1" under "custom capabilities". For product 2, I specify "cap2" under "custom capabilities". The same goes for products 3 and 4.
Generated URLs have, among other pass-thru variables, this: "s2_invoice=1%3Acap1" (for product 1). For all other products, "s2_invoice" param has appropriate "capN" value.
Now, my concern is this. If "s2_invoice" param for product 1 is changed from this "s2_invoice=1%3Acap1" to this "s2_invoice=1%3Acap1%2Ccap2%2Ccap3%2Ccap4", wouldn't that user be granted access to other products as well? The thing is, anyone can change the request URL and buy a single product but gain access to all other products just by changing s2_invoice param value.

I hope i'm wrong.

Best regards,
Pedja
User avatar
pbradaric
Registered User
Registered User
 
Posts: 4
Joined: September 20, 2011

Re: ClickBank Button URL tampering

Unread postby Cristián Lávaque » September 20th, 2011, 10:15 pm

It's a great question. I'll forward it to Jason.
Cristián Lávaque http://cristianlavaque.com
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010

Re: ClickBank Button URL tampering

Unread postby BlogPiG » September 22nd, 2011, 10:30 am

Is this not a concern to anyone else?

Effectively he's saying customers can choose their access level by tweaking the payment URL!

Is this real?
User avatar
BlogPiG
Registered User
Registered User
 
Posts: 5
Joined: May 27, 2011

Re: ClickBank Button URL tampering

Unread postby MODassic » September 22nd, 2011, 11:27 am

This also concerns me, but I have a simpler question.

Does this only affect click bank or does it affect all payment gateways?
User avatar
MODassic
Registered User
Registered User
 
Posts: 13
Joined: August 31, 2011

Re: ClickBank Button URL tampering

Unread postby BlogPiG » September 22nd, 2011, 12:19 pm

I've not looked into the other gateways, are the capabilities sent via the buy button URL for all gateways?
I guess they must do as S2 holds no central data on products/access/capabilities for the IPN to call via an internal code.

I'm not a fan of WishList Member for various reasons but they use an ?sku=1234567 to call-back into the system as the product/level is stored. This can still be removed leaving you with an orphaned order in CB but no fraud can take place.

Amember goes even better and lets me associate the Clickbank product_id with an internal product number so no parameters are needed with the buy button at all. URL tampering is impossible.

Don't get me wrong both of these other solutions have some other major issues and S2 kicks their ass in many ways apart from this, which until I understand it better is a show stopper.

Can't wait to hear from the dev on this.
User avatar
BlogPiG
Registered User
Registered User
 
Posts: 5
Joined: May 27, 2011

Re: ClickBank Button URL tampering

Unread postby BlogPiG » September 24th, 2011, 7:14 am

Still no response on this? C'mon guys, it's a yes or no answer....
User avatar
BlogPiG
Registered User
Registered User
 
Posts: 5
Joined: May 27, 2011

Re: ClickBank Button URL tampering

Unread postby pbradaric » September 24th, 2011, 12:26 pm

Hi.

I've confirmed my suspicions by performing a ClickBank test mode purchase. I've copied purchase button URL and added more custom capabilities and s2Member created new account with all custom capabilities I added "manually" to the purchase URL.
Now, the question is, how to protect ourselves against users who will try the same thing I did?

Best regards,
Pedja
User avatar
pbradaric
Registered User
Registered User
 
Posts: 4
Joined: September 20, 2011

Re: ClickBank Button URL tampering

Unread postby Cristián Lávaque » September 25th, 2011, 5:22 pm

The problem with the tampering in this case is when using custom capabilities, not with the product they're purchasing. If they tamper the URL to change the product, then ClickBank will sell them the other product at its right price.

We're looking at the possibility of encrypting the order buttons/URLs. PayPal already allows button encryption.
Cristián Lávaque http://cristianlavaque.com
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010

Re: ClickBank Button URL tampering

Unread postby pbradaric » September 26th, 2011, 3:29 am

Hi.

Yes, well, actually, the problem is that the user then has access to all of the products! I think this is pretty big deal.
Also, I see no problem with encrypting the whole attributes part of the URL - all the attributes in the purchase URL are "pass through" attributes (service is returning them to the "Thank You Page" unaltered). Also, you could use that "Security Encryption Key" (that s2Member already uses) to encrypt this data.

Best regards,
Pedja
User avatar
pbradaric
Registered User
Registered User
 
Posts: 4
Joined: September 20, 2011

Re: ClickBank Button URL tampering

Unread postby Jason Caldwell » September 27th, 2011, 1:22 pm

Thanks for reporting this important issue.
~ and thanks for the heads up Cristián.

Yes, this is an issue that needs to be addressed. In the latest versions of s2Member we've introduced URL-signing functionality, which will be completed and integrated into ClickBank® very soon. Once that's completed, this vulnerability will no longer exist. In the mean time, you are correct. Changing values in the s2_invoice parameter is possible.

This security vulnerability affects the following Payment Gateways integrated with s2Member:
  • ccBill® Buttons ( but to a far lesser degree, not as vulnerable )
  • ClickBank® Buttons ( the most vulnerable in this regard )
  • Google® Checkout Buttons ( also vulnerable )
  • PayPal® Buttons ( but only when button encyption is NOT used )
    ( with PayPal® Buttons, you can enable button encryption to prevent this, see: s2Member -> PayPal Options -> Account Details -> Button Encryption )
This security vulnerability does NOT affect these Payment Gateway integrations:
  • PayPal Pro Forms ( available with s2Member Pro )
  • Authorize.Net Pro Forms ( available with s2Member Pro )
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: ClickBank Button URL tampering

Unread postby Jason Caldwell » December 7th, 2011, 1:31 am

s2Member v111206 and s2Member Pro v111206 ( Update )

  • ccBill® Buttons ( but to a far lesser degree, not as vulnerable ) ( fixed security vulnerability )
  • ClickBank® Buttons ( the most vulnerable in this regard ) ( fixed security vulnerability )
  • Google® Checkout Buttons ( also vulnerable ) ( fixed security vulnerability )
  • PayPal® Buttons ( only vulnerable when Button Encryption is disabled )
    ( with PayPal® Buttons, you can enable button encryption to prevent this, see: s2Member -> PayPal Options -> Account Details -> Button Encryption )

This security vulnerability was addressed in the release of s2Member and s2Member Pro v111206.
(s2Member/s2Member Pro) Security fix. A security vulnerability related to unsigned URLs leading to checkout pages for ccBill®, ClickBank® and Google® Checkout, has been addressed in this release. For further details, please see this thread.
The release of s2Member and s2Member Pro v111206 closes this vulnerability for all Payment Gateways integrated with s2Member. Please note however, that with PayPal Standard Button integration, you MUST still enable PayPal Button Encryption to close this vulnerability on your installation.

With PayPal® Buttons, you can enable button encryption here:
s2Member -> PayPal Options -> Account Details -> Button Encryption.

This security vulnerability does NOT affect these Payment Gateway integrations:
  • PayPal Pro Forms ( available with s2Member Pro )
  • Authorize.Net Pro Forms ( available with s2Member Pro )
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: ClickBank Button URL tampering

Unread postby pbradaric » December 7th, 2011, 4:24 am

Great :)

Thanks Jason.
User avatar
pbradaric
Registered User
Registered User
 
Posts: 4
Joined: September 20, 2011


Return to s2Member Plugin

Who is online

Users browsing this forum: No registered users and 2 guests

cron