As I see, the «AlphaHPP» → «Paypage Request Reference» → «Response Message» parameters table does not contain a parameter for signature, so how should my extension check whether a response message is sent by AlphaCommerceHub or by a hacker?
There currently is no signature. If you have a suggestion we can review but this would require development
So, currently a hacker has a simple vector of attack:
- Place an order to a merchant’s store.
- Call the
SuccessURLmanually with his own browser’s cookies (from the step 1) and forged HTTP headers and data. - The merchant’s store will treat the order as paid.
The attack is especially effective for instantly downloadable products (like software and electronic books) and instantly provided digital services (e.g. SaaS).