Cybercrime: PayPal flawDate: March 30, 2006
Anyone who entered "https://www.paypal.com/affil/pal=" in the address bar of their browser could enter an email address at the end of the URL and get a page displaying the account holder's name. If the email address was not attached to a PayPal account, an error message would appear. For example, entering the email address of eBay CEO Meg Whitman after the equal sign, like this, https://firstname.lastname@example.org, revealed the full names of Whitman and her husband on her PayPal account. (eBay owns PayPal.)
The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."
Add comment Email to a Friend