TulipTools Internet Business Owners and Online Sellers Community

Full Version: PayPal knew for 1 year about web site security flaw that made users vulnerable
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Quote:A flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.

AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user. Adding a PayPal member's email address to the end of that specific PayPal URL causes a box to appear with that member's full name. Entering an email address of a non-member brings up an error message. There is no need to log into PayPal to access that URL, and it isn't clear what the page is designed to accomplish...

full article: http://auctionbytes.com/cab/abn/y06/m03/i24/s00
Well that explains the people that have said they've gotten obvious spoofs with their real names on it...

Way to go, PayPal.  Probably put there by some  :asshat2: at PayPal making money on the side, if you know what I mean...
I know what you mean.

Can't remember which of ebay's SEC reports I saw it in.
But ebay talked about "internal" fraud as a problem or possibility
with PayPal employees.  :blinkie:
Reston Ray posted a link on the eBay Stores board to the Auctionbytes story 3 hours ago--ZERO responses...security is apparently one of those "negative" topics you ignore on the new eBay Stores board where the most important issue of the day appears to be finding the right food/beverage image to post in the new Stores Lounge thread Smile

http://forums.ebay.com/db2/thread.jspa?t...1000251105&tstart=0


Quote:Can't remember which of ebay's SEC reports I saw it in.
But ebay talked about "internal" fraud as a problem or possibility
with PayPal employees

There was a recent report that said the biggest security threat any company faces comes from within the company itself--i.e. from its employees.

The enemy within the firewall
http://community.tuliptools.com/index.ph...029.0.html
[quote author=dnc_ont link=topic=3147.msg11373#msg11373 date=1143294535]
Well that explains the people that have said they've gotten obvious spoofs with their real names on it...

Way to go, PayPal.  Probably put there by some  :asshat2: at PayPal making money on the side, if you know what I mean...

[/quote]

The email lists phishers use when they visit that page were probably bought from another eBay employee making money on the side.
Quote:Reston Ray posted a link on the eBay Stores board to the Auctionbytes story 3 hours ago--ZERO responses...security is apparently one of those "negative" topics you ignore on the new eBay Stores board where the most important issue of the day appears to be finding the right food/beverage image to post in the new Stores Lounge thread

Truly amazing how little people care or how low key these things can be.
Oh, look at this, PayPal apologizes for any heightened level of concern  :Smile No reason given why that page was there in the first place, and no indication given that PayPal will accept liability for any losses people suffered as a result of an internal PayPal security problem.

Quote:kristin@paypal.com View Listings | Report Mar-25-06 17:00 PST 11 of 18
The information noted in the above article has been resolved. We apologize for any heightened level of concern.

As we all know Phishing/Spoofing is a serious industry-wide issue, and we strongly recommend that community members be on the lookout for suspicious emails and avoid responding to emails that ask for your personal information (even if the email looks like it is coming from a reputable source). We encourage you to forward any suspicious emails that request personal information to spoof@paypal.com or spoof@ebay.com. These reports are an important part of our efforts to protect the community.

http://forums.ebay.com/db2/thread.jspa?t...1000250882&tstart=0

According to a story linked to on that thread, eBay and PayPal both knew last year it was possible for outsiders to obtain users real names and yet failed to alert their users to the problem and did nothing to fix the problem until today.

Auctionbytes has issued a press release:

Quote:For over a year scammers and phishers may have been using a PayPal security flaw to obtain the full names of PayPal® users.

http://www.newswiretoday.com/news/4479/

The original eWeek article from January 24, 2005:

Quote:PayPal E-Mail Leak Brings Phishing Worries

Electronic payment provider PayPal Inc. on Monday confirmed that a security breach at a partner site left an unknown number of e-mail addresses exposed on the Internet.

The eBay-owned company, which has been a major target for phishing attacks, said the security breach occurred at Benchmark Portal, a third-party company that handles customer-survey e-mails and exposed a "limited number of user e-mail addresses."

Word of the data leakage first surfaced on security message boards over the weekend and pointed to an apparent bug in the software used to manage "unsubscribe" requests from PayPal users.

eWEEK.com was able to verify that certain readily available URLs could be manually manipulated to show e-mail addresses of PayPal users who recently unsubscribed from customer-service surveys.

full article: http://www.eweek.com/article2/0,1895,1754013,00.asp

This isn't the first time that eBay/PayPal has known of a security flaw on its sites and ignored the problem. eBay was warned of the flaw that allowed phishers to place malicious javascript directly in listings 1 year before the flaw made headlines when it was exploited by several phishers last fall.  Both eBay and LiveWorld knew of a serious security hole in LiveWorld's forum software in 2004 that allowed phishers to obtain users account info and yet took months to fix the problem. 

eBay gets an F for security...and its attempts to blame its users are laughable.  Angryfire

related topics:
2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
http://community.tuliptools.com/index.ph...837.0.html
Exploding the Myth That eBay Is A Safe Marketplace: eBay Puts Users At Risk
http://community.tuliptools.com/index.ph...875.0.html
eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks
http://community.tuliptools.com/index.ph...668.0.html
Quote:Auctionbytes has issued a press release:

AuctionByteme finally wrote a news story instead of doing their usual bit of trying to pass off their advertisers press releases as news and they issue THREE press releases to announce it?  Happy001

Smile

From today's AuctionByteme:

Quote:The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."

full article: http://auctionbytes.com/cab/abn/y06/m03/i27/s04
Maybe we are seeing a "shift" in their loyalty to ebay.
Or maybe Dave and Ina have been burnt recently too.

I'll tell you this those boinkers owe me a BIG apology.

Last year I was posting at AuctionByteMe about how ebay or paypal
were selling or renting information and they must have given out one
of my e mail address to spamers and how unsafe and bogus both these companies "security" and privacy polices really are.

The threads over there got a little dicey for a while and AuctionByteMe was
actually starting to come alive again. Should have seen the number of
views on threads I was involved in. They went through the roof.
(The whole how controversy attracts lurkers thing).  Laughing7

Anyway they banned me and some pp cheerleader.
It was this boinktard that was being a asphat for the most part but
I got banned for telling what I knew was the truth then,
and defending myself against a few of ebays plants and the
Smileykoolaid heads that hang out over there.

A year latter... Here we see AuctionByteMe running articles about all this.

Dave and Ina, you owe me a BIG apology.  Thebirdman
Quote:The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."

The dumb asses at eBay probably spent the past year clearing their caches and rebooting repeatedly thinking  it would make the security hole go away.  Happy001
Pages: 1 2