A couple of months ago, when I was developing custom E-Commerce Management which handles all the orders, customers, support, product, product downloads etc etc including a shopping cart using third party credit card processor www.2checkout.com I figured out  minor bug, and I was amazed to see that one was able to download products without even purchasing any product, and I am sure several of the people might have downloaded my own products which I was selling through 2checkout.com

 

Note : I hope I will be given credit by the 2checkout.com team for pointing out this security issue.

 

Other companies knew ?

Yes ! I have seen several companies selling shopping carts integrated with 2CO but I guess they never told 2CO about this error, and that was one thing which made me think how poor attitude people have about telling something to others. This was quite unfair for the people who were selling their templates or ebooks, and one was able to download it for free without paying..

 

 

I am currently using 2checkout.com but since I have developed an Advance E-Commerce system, it can no longer be applied to my shop at http://www.swish-shop.com

 

2CO provide you facility to put your system in DEMO mode so that you can test your system and /or if you are working on shopping cart no actual sale occurs, the bug was in DEMO mode. But you might be thinking that companies selling products were not in demo mode, how one was able to download ?

 

well, what you had to do was put the seller id and another variable &demo=Y in the url, and fill up the credit card information, since it was in demo mode, there was no actual check for the credit card and 2CO system shows a page at the end which states "This was the demo transaction, no actual sales were processed" but what the heck ? at bottom it was mentioned, here is the product for your demo order ? and direct link to the product was given.

 

When I saw that I was completely shocked, I said WOW what a bug in the system, then I tried this method on other couple of sites and it and it worked, it was quite a shame, then I thought why my sales graph went down.. LOL..

 

But now, I have developed a system which never provides the purchased product immediately, this is because there are several fraudulent attempt (stolen credit card), and I don't want to give my product away for free, so what my system does, is checks either the user is already a customer ? if NO, the customer is added to the database after the successfull payment (soon as his order completes), and they are given a username and password to login to their account, their account show the status of their order "pending", and soon as I approve those orders am email is shooted toward the customers detailing their download details and saying that their order has been approved and they can download the products.

 

This system really helps and saves a lot of my time by manually adding customer and their details in my client base, if you need help let me know I have a wonderful solution for the people who are using 2checkout.com