Over time there has purportedly been an occasional rash of ShiftCode GPT site member accounts getting hacked (or accessed by unauthorized persons due to improper password hygiene / security practices by members)
NOTE: If you are a GPT site member then don't worry, it's relatively simple to avoid getting your account hacked by making sure that you use a strong password that you don't use at any other site. It also may help to minimize risk by not allowing your GPT member account(s) to accrue a large balance - don't leave it in, withdraw it all ASAP.
While these unauthorized persons are accessing the GPT member account many times the main target is to withdraw any standing account balance to PayPal via the withdrawal dialog.
In order for the offender to benefit from the unauthorized withdrawal then they must be able to change the true account holder's PayPal email address that's sometimes on file to the PayPal address they desire.
If the target GPT site doesn't have the security measures I speak of in this article in effect then raiding a hacked GPT site member account is relatively easy if the GPT admin and/or the GPT site member has been even mildly careless.
If your ShiftCode GPT site has instant (unattended / automated) withdrawal methods available I highly recommend that you apply this modification to ALL the instant methods you offer (methods other than PayPal may need slight modifications to this very basic code)
Here are the changes I recommend. These changes and code modification have been tested on several GPT sites so far with good results.
PROJECT COMPLEXITY – NOVICE TO INTERMEDIATE
(Probably OK for Newbies or Coding Beginners but if you are squeamish then seek help
or observation by someone who knows a bit better – you may even contact me for help or
observation but I won’t do it completely for you entirely)If you are the tiniest bit squeamish about altering PHP script code in its raw form then I highly recommend that you hire a programmer to make these changes for you. Though know that as programming code modifications go, this particular project is super simple for most do-it-yourselfers.
- In your ShiftCode GPT site Admin Panel then go to (left side menu) Products > Withdraw (click on the word 'Withdraw')
- Find 'PayPal' (or the desired withdrawal method you wish to secure) and click on it. You should now be at a screen that says "Methods > Edit Method" at the top.
- Un-check (if checked) the "Type Again:" box that is described as "Yes, force the user to type their info in twice."
- Basically what we just accomplished is to make sure that the PayPal email only appears once (and doesn't need to be typed into the second field when withdrawing) on the withdraw page.
Now we'll move on into the actual code editing portion of this project. Whether you are a beginner or a seasoned pro at this point I must admonish you to make complete backups of any code (the whole file - ALL the code in that file) you intend to change - BEFORE you change anything.
My preferred method for making such backups is to bring up notepad (notepad.exe - the built in Windows text file editor) and copy all the code in the file you intend to modify to notepad and save it under the name of the script or include file. Again, do this BEFORE you make any modifications to the code.Also, at this point I should mention (just to be wise towards the future) that ShiftCode has a built in function that will conveniently zip up all of your script files and then make a single zip file containing all of the current states of your script files (at least the ones you have access to - there are many more scripts behind the ShiftCode 'curtain' that you can not see) available for you to download and file away in a safe place on your own machine for future reference.There is no time like the present to do this. To download your scripts backup the simply click on 'Scripts" under 'Files & Templates' in the lower right menu in your admin panel. Then look in the upper right area of the center window (at the top) for a button labeled 'Backup All' (as seen below) and click on it to download the script backup file. Store it in a safe place that you will remember when/if you need it.
Ok, back to our little coding project.
- Find and click on 'Includes' (above where you found 'Scripts' above) under the 'Files & Templates' heading lower down on the right side Admin Panel menu. Click on 'Includes'.
- Find the include with the ID '_withdraw_form' and click on it to reveal the 'Editing Include' page for that include.
- This is the point where I usually STOP COLD and copy all the code in the window and paste it into notepad and save it to a text file just in case.
- NOTE: See [skip to] the “UPDATE: [10/08/2014]” statement below INSTEAD of steps 4 and 5 below now if this is your first time attempting this modification (the update contains newer information just discovered)
________________________________________________________
UPDATE: [10/08/2014] REPLACING STEPS 4 AND 5 ABOVE !
Ok, I just ran across a GPT admin with a slightly different configuration (his site was heavily customized already) anyways what I learned was that in certain cases it DOES matter exactly where you put the “ readonly “ statement and actually that statement belongs rightly just after the “input” statement in that line of code.
So in the below statements the first statement is what the original looks like and the second statement is what it should be changed to INSTEAD of the above way (left in for the sake of those who have already completed the change that way – if you already changed it the above way and it works then it’s fine to leave it that way but if you are making this as a new change then use the below examples INSTEAD OF the above examples:
Change that (above) to (notice the “ readonly “ with a space before and after just AFTER the “input”
________________________________________________________________
- Save that code change by clicking on the 'Update' button at the bottom.
- Now log in to your GPT site as a member (with enough funds to see the withdrawal option) and notice that now you can not change the Paypal email field from the default pre-set Paypal email address. DONE!
Ok, there are still certain conditions where if your site was not set up with the configuration that I predicted (and would be normal) like using a custom field for the PayPal email address that was completed during registration.
You’ve marked that custom field read-only (simple setting) for them not to be able to change after registration. And the fact that once you have completed the above modification then you will want to remind your members somewhere that if/when ever they need to change their pre-set PayPal withdrawal email then they will need to contact you (the admin) to do it for them via inbox message or support ticket (ONLY) You won’t want to allow PayPal email address change requests to come in from the built-in ShiftCode contact form, or even via direct email – you want this crucial contact to be made ONLY from within the member’s account for security purposes (the contact form can be accessed from outside the account and any email can be spoofed by anyone making it look that it’s coming from anyone!)
Remember, if hackers are smart enough to guess people’s passwords then they are probably also smart enough to try and trick you (the admin) into making the email change for the targeted account for them (wink)
Also (without going into too many details publicly here) if your site has instant payment methods then it is highly recommended that you DO NOT use the 'Signature' referral banners feature (the banners that show individual member stats on them)
There you go ;-)
No comments:
Post a Comment