Cybercrime: PayPal flaw

Date: March 30, 2006
Source: auctionbytes.com
By: Ina Steiner

AuctionBytes reported on Friday a vulnerability on the PayPal website that allowed anyone to find out if an email address was attached to a PayPal account, and if so, revealed the account holder's full name (http://www.auctionbytes.com/cab/abn/y06/m03/i24/s00). Several hours after AuctionBytes contacted PayPal about the security issue the page raised, PayPal fixed it, calling it "a bug."

Anyone who entered "https://www.paypal.com/affil/pal=" in the address bar of their browser could enter an email address at the end of the URL and get a page displaying the account holder's name. If the email address was not attached to a PayPal account, an error message would appear. For example, entering the email address of eBay CEO Meg Whitman after the equal sign, like this, https://www.paypal.com/affil/[email protected], revealed the full names of Whitman and her husband on her PayPal account. (eBay owns PayPal.)

The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."
Original article

---

Add comment  Email to a Friend