Custom cart items security concern

custom-cart-items

#1

The custom cart items documentation states:

Custom Cart Items are available via implicit authentication . You should always check each order has the correct details for each item, most importantly, price.

However I’m unsure where an opportune time to perform this check would be because the implicit grant type allows users to bypass our servers and add a custom item to the cart as well as checkout and pay – any help would be much appreciated?

EDIT: The more I think about this the check must be done at the time a custom item is added to the cart because the price could change from the time between add to cart and checkout / pay / post sales. I really feel for this to be viable we need to disable implicit grants?


#2

Hi @riscarrott thank you for the great feedback!

There are several ways in which you can check the custom cart items price:

  1. Do the check when you add to the cart, server-side only to be secure.
  2. Do the check during checkout, server-side only secure.
  3. Do the check after the order has been paid (when you’re about to fulfil the order), this would let you do implicit authentication for the whole cart/checkout/payment flow but would still need a server-side check to validate securely. It is advisable to do this with all custom cart items as it stands if you’re relying on custom cart items for things such as tax.

We will feed this back to our Engineering team who will look at the implications around this functionality.

Thank you

Drew


#3

Hi @drew

My concern is somebody could make the REST calls w/ an implicit token directly to Moltin and change the price to 0, checkout and pay, bypassing our servers altogether?

re: your third suggestion – I don’t think this would work as the price may have changed by the time the fulfillment occurs, it needs to be done at the time of add to cart?


#4

Hi @riscarrott

Technically the price of the custom cart item could be set to 0 if validation isn’t in place however, the overall price of the cart could not be set to 0.

With regards to the third suggestion, the order items cannot be changed implicitly and so your validation would catch any anomalies before fulfilment takes place.

If possible could you give me a use case with regard to how you wish to use custom cart items? This will help us understand better what you are trying to achieve and how we can help facilitate that.

Thanks

Drew


#5

Essentially our use-case is selling products which aren’t in the Moltin catalog which leaves the following security vulnerability:

  1. Add custom item to cart via UI worth £100.00
  2. Inspect cart response and retrieve the sku of the custom item
  3. Delete cart by starting new session (e.g. deleting localstorage or equiv)
  4. Create new cart and add same custom item sku with price of £0.01 via REST API using implicit auth
  5. Go to checkout purchase via UI or REST (the latter can be used if the UI has validations against price)

The problem with doing the validation at time of the fulfilment is the price of the product may have changed since the order was placed so it can no longer be reliably validated.

I understand selling products outside of the Moltin catalog is a more extreme use-case but I think the same logic applies for shipping / tax etc?

If we’re able to remove the implicit grant for our store then we have complete control over security.


#6

Hi @riscarrott do you have dynamic product prices? Would it be possible to take a snapshot of the product price and add that to a custom field on the order, then you would be able to cross reference the price?

Thanks,

Drew


#7

@drew yeah we do have dynamic product prices fed in from other data sources.

We could potentially get away with adding the price to the order when the cart is checked out however there’s still a window of time between adding the product to cart and creating an order whereby the price may have changed meaning we run a real risk of incorrectly flagging an order as invalid…