[benmorris]

I've implemented express checkout on a few carts I've written. It isn't possible to calculate the shipping cost/method until the user gives at at minimum their zip code and country. So basically the flow of Express Checkout doesn't allow this since that information is sent back once they authorize a charge and return to your site. At that point the customer is prompted with an order confirmation, final total and to select their shipping information. When they click confirm the charge is actually made. Express Checkout is extremely popular on all of the sites I've worked with and is probably quickest payment method people can use. In the 6+ years we've been using it we have not had one single complaint about charging the wrong amount shown on the PayPal confirmation page. Customers understand they must select their shipping method and I would rather not have them enter duplicate information.

I am confused how this "bug" is any different that using something like the payments pro API. Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.

[lawl]

I wouldn't mind entering my ZIP to precalculate the shipping costs. But seriously, Shipping costs are a lame excuse. There is nothing that stops paypal to call back to the shop to get the shipping costs. Or just make a CORS request from the browser itself and have the shop sign the shipping costs so paypal knows.

> Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.

Which is exactly why I only use shops with paypal where I see the amount charged on paypal.com if I don't completely trust the shop. I was under the impression that this was the value paypal provides. Apparently I was wrong. Might as well get a prepaid credit card now.

[marze]

Of course it is a bug. Proper behavior would be to confirm the amount plus shipping, or at very least, limit the change to an amount no greater than $20 more than what was confirmed.

[anujnayar]

Hi - It's anuj Nayar from PayPal. I can confirm that through our Bug Bounty Program a researcher reported this suspected vulnerability with our PayPal Express Checkout.

After looking into the issue, we don't think this is in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers. We offer robust buyer and seller protection to cover both ends of the transaction and our systems are pretty good at finding and flagging this kind of illegal behavior if a merchant were to start overcharging your customers.