Quote:
Originally posted by Arty
Nice idea 
But there is a security problem with it...
http://www.micropaymentdemo.com/demo...tm?payc=301993
I think processing server just checks for the reffering url hence it allows me to spoof it using zspoof
spoof
First pic should charge 1 cent, second one should charge 15 cents for 10 mins... As I don't have any accounts I'm not sure what would happen next, but I think it'll allow that. May be you should encrypt those price & minute settings at the links using a custom key for each merchant to verify it...
I know average surfer might never notice or try that but leak is a leak.. 
|
No, there's no security problem there!
You're not logged in. For performance reasons it doesn't bother to check the price until you have logged in, that's why it's looking like accepting your click in your screen shot. If you get an account and follow through on the click, you'll see it will refuse you because the price is wrong.
Its simple to get an account - try it.
We don't rely on the referrer for security.
All static links are pre-registered to ensure that no content is obtained at the wrong price. Or if you use dynamic links, the price and minute settings are protected by an MD5 hash including the unique merchant password.
You had me worried for a moment, but only a moment!
Danny
__________________
Sell your videos and pictures by the click
Earn 50% commission on all sales to your traffic for ever!
info at payasyouclick.com ICQ:298-963-699