Mark Geisinger wrote: > Wondering if Website Buildermight be useful for an entry level > e-commerce site, and being curious how it's handling the payment > gateways in JavaScript, I set up a trial account and had a look at > the checkout page. Much to my surprise, I found that the Authorize.net > login name and transaction key are in clear text in the generated > page. The login name is in a hidden form field, and the transaction > key is assigned to a variable in call_sub(). > > Does anyone at Tucows think this is a really, really, bad idea?
Is the "transaction key" that you speak of the same as the account password? It would take someone about five seconds to guess our account login, so AFAIC embedding it in a generated page's source is somewhat stupid, but harmless. Embedding the account password, on the other hand, would be quite serious. I'm looking at some code I wrote for the AuthorizeNet 3.1 gateway and there are two form fields are clearly named "x_login" and "x_password". In this trial account, have you actually set it up to use your AuthorizeNet account so that you can verify that this "transaction key" is indeed your account password?
