July 19th, 2006 by Jamie Estep
Paypal Shopping Cart Makes Spam
Filed in: 3rd Party Processors, Ecommerce, Fraud | 2 comments
Paypal has a built in shopping cart function that allows paypal users to easily add products to their website. The cart works by letting users paste an html form on their website, and when a visitor clicks on the form button, the specific product is added to their cart as they are redirected to paypal. It is a very simple, easy to use shopping cart system.
Lack of proper security:
The problem with the paypal shopping cart, is that is has a major flaw. The seller’s email address is publicly displayed in the product form on their website. This makes is easy for spammers to search for paypal product forms, and harvest the email addresses from them. What makes the problem even worse is that the email address are all but guaranteed to be good and used. They are also the same email addresses of active paypal users. This opens these users up to massive spam, and opens them up to phishing attempts of their paypal addresses. Every website that uses the paypal shopping cart, has their paypal email address displayed in the html code of their website.
If you use the paypal cart:
If you use the paypal shopping cart setup a separate email address for your product forms. This way at least you can cut down on some spam to your general email inbox. Otherwise, I would suggest finding a separate shopping cart for your website. It may take a little extra work, but you are the only one that will pay for Paypal’s lack of security.
Fixing the problem:
It wouldn’t take a lot of work for paypal to fix the problem. They would need to integrate a program that stores your email address, and replaces that space in the form with an encrypted code that links a visitor to your account. Are they going to implement something like this? Highly unlikely.
I wish that I could say that Paypal is going to take a proactive approach in resolving this simple problem, but I just cant see them going out of their way for that. Whatever the case, paypal’s system is an example of completely irresponsible programming, and their customer are the ones that are affected by it.
I completely missed this blatant disregard for customer privacy until a commenter on the blog let me know about it. Here is his original press release: http://www.riverpages.com/paypal-spam-risk.html
PayPal has introduced a good solution to this, their new Express Checkout API offers a server side workaroudn to this, and a faster checkout… the older method in this article is slowly being phased out.
I would think it would be very easy for paypal to simply add an account number (16 digits ?) to every seller’s account. Then have their program look for the “old” field “business” which contains the email of the account AND it could look for the new field “paypalacct” (or similar name) and it could use either. Simply a line or two where it would check ifexists paypalacct then proceed else ifexists business then proceed else improper websiteform would work.
Simple programming and addition of an acct number would allow old or new to be used. Web owners could quickly change to the new format by finding the old line and replacing with the new.
The new server side include?… that just might be tedious or cheap way of fixing the problem and it would still require a lot of work by the website owner. Paypal caused the problem by usage of email in their form, they should just get rid of it and in the easiest way for the seller who may not have adequate knowledge for using SSI. A simple copy and paste by the seller to fix old pages would be the easiest fix.