Hy guys. I just implemented the paypal checkout express into my website. All went good until i had test it live.(without sandbox becouse they didn't send me the confirmation email and i cannot get the api credentials) - i used my own paypal account.
My question is:
Step 1) call "SetExpressCheckout" with required data.
Step 2) get the tocken and redirect the user to pay 0.01 USD. (all good, user saw $0.01)
Step 3) get the buyer details ..."GetExpressCheckoutDetails" and save them (all good )
here is the big problem:
Step 4) call api: "DoExpressCheckoutPayment" with TOKEN, PAYER_ID ...etc also PAYMENT TOTAL AMOUNT
In this step i added the TOTAL AMOUNT by mistake as $500 - hardcoded , after finalizing the order the $500 were transfered to my account from buyers account instead of $0.01.
How this is possible ??? Why paypal doesn't check the total amount from setExpressCheckout with the total amount from DoExpressCheckoutPayment, becouse the tocken is the same one.
In my opinion this is a major security issue.