Payment verification breach in SIM/DPM process

While there are some bugs in plugins for Drupal Commerce and Wordpress WooCommerce, SIM/DPM does not provide sufficient security protection. In this post I am going to show the weakest point of SIM/DPM process. You can easily complete multiple orders, but pay off only a single one. This is however true if you make multiple orders on a same amount.

Buying goods for free through the Payment Gateway plugin for WooCommerce

In the previous blog post, Paying less for more in Drupal Commerce through the Authorize.Net SIM/DPM, I described the vulnerability found in the Drupal Commerce Authnet SIM/DPM module. This time I decided to look into other eCommerce platforms and to find similar vulnerabilities.

Paying less for more in Drupal Commerce through the Authorize.Net SIM/DPM

In this article I am going to show you how to cheat the Drupal Commerce. I will make 2 orders: one for $1000 and another for $30. Due to weaknesses in the SIM/DPM and the way Commerce Authnet SIM/DPM module processes payments I would be able to pay $30 for a $1000 order. All I need is just a modern browser with an HTML Inspector.

Hacking Drupal Commerce site that accepts payments through the SIM

At one of my previous jobs we had a client who's organisation was crazy about security of the customer data, such as credit card numbers or billing info. They wanted to make their online store to be PCI compliant. Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard that was created to increase control around cardholder data to reduce credit card fraud via its exposure. However it does not mean that this standard makes merchants more secure. In fact there are some new vulnerabilities that I am going to show you in this article.