Phishing with official Module?

[Shellanza]

Hello there,

I'm with Prestashop 1.7 and I'm trying to configure the preinstalled module.

When I start the process this is what's going on:

1) I click "configure" the module through the "installed modules" page. Paypal v4.2.1 by Prestashop

2) I'm then in the Prestashop backend page where I click "ACTIVATE" to start the project

3) I'm going to be redirect on Paypal login page (https secure, a real page...)

4) I enter my user and pass (that system recognize) and then I follow the steps to the end when I get the "You authorized Prestashop" and a blue button to "Back to Prestashop"

 

If I proceed my Antivirus tell me this is phishing and to be honest the URL given to return is quite weird. You can see on the screenshot I attached on the very bottom of the page

 

What the hell is going on? Maybe I have just to tell antivirus that this is a "false positive"??

 

 

[202ecommerce]

Hello,

We thank you for the interest you have shown in our module.

Please register and create a ticket on our support portal so that we can help you:
=> http://support.202-ecommerce.com/

As soon as receipt of your ticket we will contact you to give you a solution.

Best Regards,- 202 ecommerce

[razaro]

Hi @202ecommerce

Could you please explain here as well, I am sure lot of users would like to know this.

Thank you

[Dh42]

Basically they are using an open auth connection to make it easier to connect paypal. This is so you do not have to enter creds that lots of people get wrong and lead to the 1002 error people get with paypal. The downside is you give them the ability to view your transactions and account history. So that is likely used for stats collecting against your company. 

[razaro]

Thank you for explanation @DH42

I saw that domain is registered to 202, and that data that are send admin name and email as well as shop name and address. Like you said probably for stats collecting.

[Dh42]

Yes, which could be considered in breach of EU data collecting laws. http://ec.europa.eu/justice/smedataprotect/index_en.htm

[Shellanza]

Thanks to all,

by the way what I'm supposed to do? Do you guys think I can ignore this alert and go on?

 

 

[selectshop.at]

@ Shellanza - ignore ? No, this module is against ec-rules. It should be not used. Developer should remove the part of collecting your data, no matter for which purposes he is collecting them. 202 is as well an EC company, they know that this is going against EC-laws.

[NemoPS]

It depends on how much you care about privacy. As stated above, 202 can theoretically view transaction details and your account history

[202ecommerce]

Hi all,

Thanks you for contact us again,  For information, this domain is safe. It's the intermediate server. He make redirect on your website with your credentials. It'a a false positive. 

For more questions, please register and create a ticket on our support portal so that we can help you:
=> http://support.202-ecommerce.com/

As soon as receipt of your ticket we will contact you to give you a solution.

 

Thanks you 

Support Team 202 e-commerce

[selectshop.at]

@202ecommerce - Well the question here is not if server is save or not. Question is: how this module is working. I think it should be reworked to comply EC laws.

[Shellanza]

@selectshop.at thanks for joining this topic. About any alternative you have some suggestions?

@everybody else I followed their suggestions and I opened a ticket with them: they told they same as here. It's a "false positive" and I have no others information about how that works.

 

 

 

[selectshop.at]

1 hour ago, Shellanza said:

@selectshop.at thanks for joining this topic. About any alternative you have some suggestions?

Unfortunately there is no other Paypal module for free available. Prestashop should remove this from core as not suitable for EC (I already opened a ticket on forge bugtracker for this).

What you can try is to use any other module with gateway to standard Italian banks. In this case customer will pay directly from his bank account, so very secure payment for you (Skrill, Ingenico, HiPay etc...) - If module not on your back-office, than you can download them for free of addons site: https://addons.prestashop.com/en/481-payment

[202ecommerce]

HI,

Thanks you for contact us, here's how the integrated payment method works on your e-commerce platform:

1 / The buyer chose to pay with PayPal
2 / Your site sends an API request to PayPal called "SetExpressCheckout".
3 / PayPal responds to this API request by providing a "token" (Starting with EC ...).
4 / Your site uses this token to redirect the buyer to the PayPal payment page via the URL:
https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=XXXX (where XXXX is the token returned in the previous step).
5 / The buyer chooses his payment solution and clicks on "Pay" or "Continue" (this depends on your integration).
6 / The buyer is redirected to your site that runs the GetExpressCheckout API (optional) and DoExpressCheckout (required) to make the payment.

 

You can contact us via the form provided for this purpose on the page of your Prestashop module.
For the module named "PayPal Europe - Official Module": http://addons.prestashop.com/en/1748-paypal.html

 

Thanks you 

Support Team 202 e-commerce

[selectshop.at]

@202 ecommerce - this was not really the question. How it works is clear, but not what happens behind, i.e. that the module (as intermediate) is collecting not explicit allowed third party information for stat purposes (this information is not given anywhere when you install/activate the module, nor I have a possibility to dissent to this data collection), which is not according to EC rules.

The link you added one post before is for the same module coming with Prestashop core.

[bellini13]

I think @202 ecommerceknows pretty well what the question is, and he is choosing to intentional ignore it...

[202ecommerce]

Hi all,

First of all, sorry for our previous answers which were not relevant.

New PayPal module (ie : PayPal version 4.x) has a new onboarding engine. As mentioned below, this engine avoids API credentials copy and paste, which was a major issue faced by merchants with our module. This new onboarding engine also allows merchants with no PayPal account to create an account right in the onboarding process.

This new onboarding engine uses a bounce server (pp-ps-auth.com), to access PayPal specific resources. Bounce server is used for security reasons, no data is collected / stored, data is only pushed to PayPal. Schema has been designed with PayPal.

Thanks @Shellanza for your alert, you are the first to face such false positive. We will contact antivirus maker ESET to see how we can remove this alarm.

Pierre
202 ecommerce

[selectshop.at]

@202ecommerce

Sorry, but also for the push service (overmore a third party service without any relation to Paypal), you need to inform to the customers using your module, that you are pushing data and collecting them for a while BEFORE THEY INSTALL YOUR MODULE. Transparency and consent are missing. Without the explicit consent of any EC-user, your module is not according EC laws and not suitable.  There is no need for to use the push service.  There is no excuse. Personally I'm not comfort with third party integrations in a module, because this undermines any law, security, etc. In case of stolen data I, as shop owner offering this kind of service with your module, will be legally responsible. And you as module provider/push service provider will acquit yourself.

Furthermore most of the people using Paypal know what Paypal is and they have a Paypal account, so it should be the majority in this case and not the minority. So why are you using this architecture, and this without any consent or information ? Change it, and make it according to

And the false positive is not only given by ESET. Test with other firewalls.

[202ecommerce]

 

Hi,

1 - We don't push any data before merchant install module, then clicks button "Activate" in module configuration screen.

2 - No data is stored by 202 : data is transferred to PayPal & used for pre-fill subscription process fields (merchant can change).

3 - PayPal, as a payment solution in EC, has strong legal commitment, including on security topics. Working with a third party does not free PayPal form theses commitments.

The new subscription process is more safe & simple. I will share your feedback with PayPal for further investigations.

Pierre
202 ecommerce

[selectshop.at]

Hi Piere,

there is nothing safe, if you use push services. This could be intercepted, cause you are using a middleman.

1 - I'm not saying that you are reading data BEFORE module is installed.

2 - There is no guarantee of this nowhere, what your servers are doing or not. You are not informing about that there is a third partie service (middleman) involved on the course of data transfer to Paypal. You are surely not anonimizing data as requested per law, because this data is needed for Paypal account. Furthermore if you really want to go ahead by this way you at least need to have the explicit consent from module user for this. There is no form popping-up on where you can disagree or agree to that.

3 - Not relevant in this case. Paypal is Paypal. We are talking about what your module is doing and not Paypal service per se.

4 - Technically there is no need to use a push service for to connect to Paypal. Make your module according to ePrivacy Directives 2002 and all will be ok and nobody will have any claim on your module.

 

[jetx]

Yeah, just this moment installed this module, thought wait a moment this doesn't look right and uninstalled it after reading this thread. Have gone for a paid option which doesn't use this nonsense and avoid credentials.

[selectshop.at]

Another problem with this module you can read here: https://www.prestashop.com/forums/topic/741201-why-can-i-see-paypal-script-in-source-code-of-product-site/

This is not correct behavior on security therms. There should be never added any code to the source visible to whole world This is an invitation for hackers to find a way to hack the software.

[pixelicous]

On 4/13/2018 at 4:59 AM, jetx said:

Yeah, just this moment installed this module, thought wait a moment this doesn't look right and uninstalled it after reading this thread. Have gone for a paid option which doesn't use this nonsense and avoid credentials.

Hey jetx, this is a very old post

I was wondering though which module have you purchased to replace this one, and are you happy with it?

Currently really not happy with what prestashop or paypal develop

Thanks in advance

[jetx]

On 8/21/2020 at 1:20 AM, pixelicous said:

Hey jetx, this is a very old post

I was wondering though which module have you purchased to replace this one, and are you happy with it?

Currently really not happy with what prestashop or paypal develop

Thanks in advance

Hey, sorry too busy and never visit here often. The module I bought and still use is in addons and it's "Paypal Payments Standard". It does what I need it to do.