Im just as tired of Gold Hack posts as you are BUT

[[MPGH]Beex]

Do you suppose its possible rather than using scammed cards they used URGENT Security problem: Google checkout hack

In case that link doesnt show

Code:

i think i have just found a big security hole in your google checkout payment gateway
when i saw it, i had a doubt, so i tried to hack my site, and it works, so i need to tell you about this unless there are many of your customer will be hacked if they use your google check out payment gateway

when you do a payment in enmasse, payment will send a callback data to tell enmasse customer has already paid to them, right? paypal does that and google check out does too. so we need to validate if the data is correct, is from the payment gateway, not from any where else,

but as i see in your payment controller, you check the callback like this:

if ( ! call_user_func_array(array($className, "validateTxn"), array($payClass)) )
{
	echo JTEXT::_("PAYMENT_VALIDATION_FAILED");
	exit(0);
}


so if the validateTxn function (use to validate the date) return "false", the callback data is considered scam.

but this is the content of google checkout's validatetxn function:

public static function validateTxn($payClass)
{
	return true;
}


it ALWAYS returns true in ALL CASES!

i sent a scam callback from my local website to my enmasse and voila, it updated my google checkout order from unpaid to paid!

so if hackers have the source code of enmasse and see this big security hole, they can easily buy anything from website of users without spending any cent!

an easy tip to know what site use enmasse is just google this keyword "com_enmasse", they will filter the sites in their countries and start scamming. and when they share this in hacker community, your customers around the world will be hacked easily.

if your site only has 10 orders a day, it's easy to check the order by yourself and notice why this order is paid but where the money is. But if you have 100 or 1000 people make payment on your site a day, there is no way you can notice the scam orders.

i haven't checked other payment gateway, because my client wants to do a google offer clone so we use google checkout, not paypal.

i hope this big bug is only in google check out

please release a patch soon!!! and please be carefull, the quality of your enmasse really need to be reviewed carefully!!!

my tip is, if you want to be a good web developer, you need to train yourself a good web hacker. i will try to hack enmasse in the future, because if my client get hacked by our fault in coding (actually it is your fault), he can sue our company and we sure will lose

[krazyshank]

It's not this.
Plus i'm pretty sure Google would patch a year old real life MONEY EXPLOIT with their services.

[[MPGH]Beex]

It's not this.
Plus i'm pretty sure Google would patch a year old real life MONEY EXPLOIT with their services.

Yeah, after an hour of trying to replicate the gold expoit its obvious it ISNT this at all. It's much more complicated. @nilly please close this im starting to to feel dumb