Community Support Forums

[pbradaric]

Hello.

Let's say I have multiple ClickBank products (1,2,3,4) with different prices. In order to grant access to different product "pages" I use custom capabilities (as explained in these videos http://www.s2member.com/custom-capabilities-video/). Now, I need to generate a ClickBank buttons for each of these products (all for level 1).
For the sake of simplicity, let's say I have four "custom capabilities" (cap1, cap2, cap3, cap4). For product 1, I also specify "cap1" under "custom capabilities". For product 2, I specify "cap2" under "custom capabilities". The same goes for products 3 and 4.
Generated URLs have, among other pass-thru variables, this: "s2_invoice=1%3Acap1" (for product 1). For all other products, "s2_invoice" param has appropriate "capN" value.
Now, my concern is this. If "s2_invoice" param for product 1 is changed from this "s2_invoice=1%3Acap1" to this "s2_invoice=1%3Acap1%2Ccap2%2Ccap3%2Ccap4", wouldn't that user be granted access to other products as well? The thing is, anyone can change the request URL and buy a single product but gain access to all other products just by changing s2_invoice param value.

I hope i'm wrong.

Best regards,
Pedja

[Cristián Lávaque]

It's a great question. I'll forward it to Jason.

[BlogPiG]

Is this not a concern to anyone else?

Effectively he's saying customers can choose their access level by tweaking the payment URL!

Is this real?

[MODassic]

This also concerns me, but I have a simpler question.

Does this only affect click bank or does it affect all payment gateways?

[BlogPiG]

I've not looked into the other gateways, are the capabilities sent via the buy button URL for all gateways?
I guess they must do as S2 holds no central data on products/access/capabilities for the IPN to call via an internal code.

I'm not a fan of WishList Member for various reasons but they use an ?sku=1234567 to call-back into the system as the product/level is stored. This can still be removed leaving you with an orphaned order in CB but no fraud can take place.

Amember goes even better and lets me associate the Clickbank product_id with an internal product number so no parameters are needed with the buy button at all. URL tampering is impossible.

Don't get me wrong both of these other solutions have some other major issues and S2 kicks their ass in many ways apart from this, which until I understand it better is a show stopper.

Can't wait to hear from the dev on this.

[BlogPiG]

Still no response on this? C'mon guys, it's a yes or no answer....

[pbradaric]

Hi.

I've confirmed my suspicions by performing a ClickBank test mode purchase. I've copied purchase button URL and added more custom capabilities and s2Member created new account with all custom capabilities I added "manually" to the purchase URL.
Now, the question is, how to protect ourselves against users who will try the same thing I did?

Best regards,
Pedja

[Cristián Lávaque]

The problem with the tampering in this case is when using custom capabilities, not with the product they're purchasing. If they tamper the URL to change the product, then ClickBank will sell them the other product at its right price.

We're looking at the possibility of encrypting the order buttons/URLs. PayPal already allows button encryption.

[pbradaric]

Hi.

Yes, well, actually, the problem is that the user then has access to all of the products! I think this is pretty big deal.
Also, I see no problem with encrypting the whole attributes part of the URL - all the attributes in the purchase URL are "pass through" attributes (service is returning them to the "Thank You Page" unaltered). Also, you could use that "Security Encryption Key" (that s2Member already uses) to encrypt this data.

Best regards,
Pedja

[Jason Caldwell]

Thanks for reporting this important issue.
~ and thanks for the heads up Cristián.

Yes, this is an issue that needs to be addressed. In the latest versions of s2Member we've introduced URL-signing functionality, which will be completed and integrated into ClickBank® very soon. Once that's completed, this vulnerability will no longer exist. In the mean time, you are correct. Changing values in the s2_invoice parameter is possible.

This security vulnerability affects the following Payment Gateways integrated with s2Member:

• ccBill® Buttons ( but to a far lesser degree, not as vulnerable )
• ClickBank® Buttons ( the most vulnerable in this regard )
• Google® Checkout Buttons ( also vulnerable )
• PayPal® Buttons ( but only when button encyption is NOT used )
  ( with PayPal® Buttons, you can enable button encryption to prevent this, see: s2Member -> PayPal Options -> Account Details -> Button Encryption )

This security vulnerability does NOT affect these Payment Gateway integrations:

• PayPal Pro Forms ( available with s2Member Pro )
• Authorize.Net Pro Forms ( available with s2Member Pro )

[Jason Caldwell]

s2Member v111206 and s2Member Pro v111206 ( Update )

• ccBill® Buttons ( but to a far lesser degree, not as vulnerable ) ( fixed security vulnerability )
• ClickBank® Buttons ( the most vulnerable in this regard ) ( fixed security vulnerability )
• Google® Checkout Buttons ( also vulnerable ) ( fixed security vulnerability )
• PayPal® Buttons ( only vulnerable when Button Encryption is disabled )
  ( with PayPal® Buttons, you can enable button encryption to prevent this, see: s2Member -> PayPal Options -> Account Details -> Button Encryption )

This security vulnerability was addressed in the release of s2Member and s2Member Pro v111206.

(s2Member/s2Member Pro) Security fix. A security vulnerability related to unsigned URLs leading to checkout pages for ccBill®, ClickBank® and Google® Checkout, has been addressed in this release. For further details, please see this thread.

The release of s2Member and s2Member Pro v111206 closes this vulnerability for all Payment Gateways integrated with s2Member. Please note however, that with PayPal Standard Button integration, you MUST still enable PayPal Button Encryption to close this vulnerability on your installation.

With PayPal® Buttons, you can enable button encryption here:
s2Member -> PayPal Options -> Account Details -> Button Encryption.

This security vulnerability does NOT affect these Payment Gateway integrations:

• PayPal Pro Forms ( available with s2Member Pro )
• Authorize.Net Pro Forms ( available with s2Member Pro )

[pbradaric]

Great

Thanks Jason.