Crt2 Exposes email addresses via Paypal payment

Hi, not sure if this is possible, but if it is it’d be an idea to do it asap…

Unless, I’m mistaken, Cart2 exposes email addresses that are added for Paypal payments.

I discovered it this morning as I started ot get a lot of spam to an address only used on one site for payment, looking at the source for that site, the address is there in plain view.

Can this be updated to correct?

I noticed this as well quite a while ago, that the email address for the PayPal account is visible in the Cart2 page source code, and asked Michael in a PM on the RW forum about the possibility of encrypting the email address or otherwise preventing them from appearing in the page code:

One other question though - is it not possible to encrypt or otherwise hide the paypal account email login in the code for cart? Maybe easy to harvest the email address for spammers?

Reply was:

Emails in PayPal seem standard… that’s the way PayPal docs recommend it anyway and they don’t mention anything. I also googled around “” but seems like not much

If I find anything will review it

It would be great if the PayPal account email address was not visible in the page code.

Well maybe the solution is to add another email address to your PayPal account. A “no-reply” or something that you don’t check and add that to your cart buttons. Then in PayPal keep your usual email as your “primary address”.

Normally your email address is included in the code as the value for the “business” variable. There is a work around where as you can replace the address with your PayPal Account Merchant ID. You can find it in your Account Profile assuming you have either a Premier Account or Business Account.

The UI changes a lot depending on country but something like Login > Account/Settings or “My profile” and there should be a Merchant account ID there.

The Merchant Account ID was introduced several years ago as an alternative to using your email address in non-hosted or non-encrypted item button code. We normally refer to this type of code a “clear text”. Using the Merchant Account ID, prevents net bots from harvesting email addresses.

The ID is composed of about 13 random numbers and letters. When you open a PayPal Account, this ID is assigned to your account automatically. It does not change and it’s not possible for you to edit it. If you opened a new account, the system would assign you a new Merchant Account ID.

Assuming you have a Business Account, you would find this ID in your Account Profile under “My business info”.

Try that 😀