PayPal vulnerable
Date: March 27, 2006Source: auctionbytes.com
AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user. Adding a PayPal member's email address to the end of that specific PayPal URL causes a box to appear with that member's full name. Entering an email address of a non-member brings up an error message. There is no need to log into PayPal to access that URL, and it isn't clear what the page is designed to accomplish.
PayPal tells its users to expect official PayPal emails to contain their names in the body of the email. Phishing emails that include a person's correct name that corresponds to their email address could fool the recipients into believing the email is actually from PayPal. Phishing emails are sent to trick people into revealing financial information and/or account passwords. AuctionBytes began reporting on hoax emails targeting PayPal in June of 2002 (http://auctionbytes.com/cab/abn/y02/m06/i27/s03). Since then, phishing attacks have become a serious problem for PayPal and eBay members as the emails get more sophisticated and attackers prey on unsuspecting users.
In PayPal's tips called "Protect Yourself from Fraudulent Emails" in a section titled "Please use the following tips to stay safe with PayPal," it states: "Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member".
Original article
Add comment
Email to a Friend
