
Critical PayPal Security Hack: Multiple Thefts Now Reported–Check Your Settings - teslademigod1
https://www.forbes.com/sites/zakdoffman/2020/02/25/critical-paypal-security-hack-multiple-thefts-now-reported-check-your-settings/#7920ef866e98
======
brobdingnagians
> “We reported this in February 2019 to PayPal via HackerOne,” they say.
> “After an initial rejection and several discussions, PayPal paid a bug
> bounty of $4,400.” The pair have not heard from PayPal, they say, since
> April 2019. But this week “tried and could still use the virtual credit card
> for online payments.” That means, they told me, “the bug has not been
> fixed.”

> But in terms of the Fenske and Mayer disclosure, the researchers told me
> that this is not fixed, even after PayPal’s “mitigation” statement.

If Paypal has known about it for a year and it still isn't fixed, then it
means that either 1. Paypal didn't understand the bug report and "fixed"
something else 2. Paypal understood the bug report, didn't fix it, and is
trying to save face. Either one of those sounds pretty bad for their security
policy...

~~~
rocqua
As for paypal's security policy, note that they have a maximum password length
of 24 characters, and routinely send people e-mails with a big 'log-in' link.

These are both bad practice. The password length limit reduces the quality of
passwords, and suggests plain-text storage of passwords. The sending of log-in
links makes people much easier to phish, since people are used to clicking on
a link in e-mail and then entering their credentials on the site.

~~~
humaniania
In what way does a password length limit suggest plain-text storage?

~~~
inetknght
In the same way that the best one-way hash algorithms can accept arbitrarily
large inputs and produce a constant-sized digest.

~~~
SilasX
True but I thought you’d want to have some size limit regardless, if for no
other reason than choking up the connection with a huge one.

~~~
inetknght
Sure, but "some size limit" can be as big as 500 or 1000 bytes. "Choking up
the connection" won't be for very long at all. Even on a 2400 baud modem,
you're talking only a few seconds to transmit a kilobyte of password. On
modern cell networks or especially broadband connections, you pretty much
won't choke the connection at all with a 1000-character password.

~~~
johndough
To add to that, the login page (which contains nothing but two fields for
email and password) weighs in at 1.5 MB, so bandwidth clearly is not an issue
for PayPal.

~~~
SilasX
Which still doesn't refute the need for a limit, and a large part of why I
didn't defend a 24-character limit.

------
s5ma6n
Even yesterday there was this thread
[https://news.ycombinator.com/item?id=22403565](https://news.ycombinator.com/item?id=22403565)

PayPal needs to seriously reevaluate how they want to approach the
vulnerabilities. Why have a bounty program if you are going to act hostile
towards the white hat community or even ignore their reports?

~~~
tptacek
The two stories are unrelated, though the reporter cites the former. From the
vulnerabilities disclosed in that report, it seems pretty unlikely that
yesterday's stories caused a rash of thefts; they were all pretty low-
severity.

Note that here, Paypal paid a substantial bounty a year ago.

~~~
rasengan
From the article:

“We reported this in February 2019 to PayPal via HackerOne,” they say. “After
an initial rejection and several discussions, PayPal paid a bug bounty of
$4,400.” The pair have not heard from PayPal, they say, since April 2019. But
this week “tried and could still use the virtual credit card for online
payments.” That means, they told me, “the bug has not been fixed.”

To reiterate the OP, what is the point of a bug bounty program that ignores or
fails to address reported issues?

> The two stories are unrelated

They are related in the sense that both stories show a failure to respond to
reported issues.

> Note that here, Paypal paid a substantial bounty a year ago.

They paid but didn’t fix the issue? This is not taking account security
serious at all.

At best, PayPal has a critical flaw in their bug bounty program.

~~~
pvg
_At best, PayPal has a critical flaw [...]_

This seems curiously confident given that just about every single one of your
many comments on the other story was inaccurate or a misinterpretation.

~~~
rasengan
> This seems curiously confident given that just about every single one of
> your many comments on the other story was inaccurate or a misinterpretation.

So you don’t think that sending a bug bounty reward a year ago to a security
researcher who exposed a flaw, that is still being exploited to take money
from people, is a critical flaw in the program?

~~~
pvg
Do I think it's possible PayPal had an incomplete fix or had a regression or
an organizational screwup of some kind? Absolutely, that is possible.

Do I think your 'motivated googling' approach to analyzing either story is
likely to produce worthwhile insight? Not really. We've already seen it be
remarkably inaccurate.

~~~
rasengan
> Do I think it's possible PayPal had an incomplete fix or had a regression or
> an organizational screwup of some kind? Absolutely, that is possible.

Great! You’re in agreement!

------
luckylion
> PayPal told me that “the security of customer accounts is a top priority for
> the company.”

I wish journalists would ridicule this corporate bullshit lingo instead of
just relaying it. I'm fairly certain that anyone that ever had contact with
PayPal's (or Amazon's, or probably any other large corporation's) customer
service with issues regarding security can attest that it's absolutely not one
of their top priorities.

They haven't even bothered to make their official emails not look like
phishing attempts. They don't care about security.

~~~
7777fps
It's called the "right of reply". It's courtesy to reach out to a company and
include their response without critique about whether it's "corporate
bullshit".

~~~
inetknght
I agree that reaching out to whomever's being criticised is a courtesy and,
sometimes, even legally required. But I don't think it's right to not
critique. When a company blatantly uses doublespeak, that should absolutely be
critiqued.

~~~
carapace
You're talking about blurring the difference between journalism and opinion.

~~~
herendin2
No, the journalist could easily find independent evidence that suggests the
corporate statement is bullshit.

It should be challenged and ridiculed. That is the journalist's duty, and they
failed.

Their job is not to be a copy and paste machine for company press releases.

~~~
carapace
I agree with your first and third sentences, but not your second.

~~~
luckylion
You don't think they should challenge a company's claim, or should they, but
not in the same article?

~~~
carapace
It's not the journalist's duty to ridicule anyone. Jon Stewart's "The Daily
Show" was very entertaining, and even somewhat informative, but I think he
would be one of the first to say that it wasn't journalism. I don't like
corporate bullshit lingo either but when that's what they say as their formal
statement to the press then relaying it is the journalistic duty.

It's one thing if the company is outright lying, but PR blather doesn't really
count (for all that it's pointless and annoying.) In any event, yeah, if they
want to editorialize, that's fine but it's done in a separate "Editorial"
section. (
[https://en.wikipedia.org/wiki/Editorial](https://en.wikipedia.org/wiki/Editorial)
)

~~~
luckylion
You wouldn't need to take Jon Stewart's approach though. I'd be fine if the
ridiculing comes from another party that the journalist gives room to. Ask a
consumer advocate what they think of PayPal's statement, or ask an infosec
professional.

Letting the PR speech stand by itself without large red arrows pointing at the
absurdity gives it way too much power imho.

~~~
carapace
I "feel ya" but you've got those options already. In other words, maybe you're
actually complaining about people's taste in news media?

------
dessant
Regarding security at PayPal, I've got a PayPal donation not long ago to my
email address in the form of {@example.com. This email was not attached to my
PayPal account, so I tried to add it to claim the payment, but client-side
validation would reject it because of the funky { alias.

I've disabled the client-side check using the browser's developer tools and my
email was accepted by the server upon submission, so I could finally claim my
5 euros :P.

All of this was preceded by me contacting support about adding my email
address. They couldn't help me and told me to contact the sender, which would
have been impossible, since it was a donation, and the only thing I had was a
PayPal notification about a pending payment to that email address.

Of course the server should have accepted the email anyway, because it was
valid, the issue just highlights a faulty development process at PayPal that
allows server-side validation to be more permissive than client-side
validation.

------
numlock86
As a power user of Google Pay in conjunction with PayPal (in Germany) should I
be worried now and remove - as recommended - my PayPal account from Google
Pay? A lot of people around me also use it the same way as I do and no one
heard of any such incident yet. Well, now that I told them, of course everyone
heard of it at least ...

What are those "multiple reports"? I see the source is golem.de (don't get me
started on that one) and "multiple reports" can just mean that less than half
a dozen people got busted on their Google accounts for not using proper 2FA in
that context.

Also the article states that Google Pay provides a virtual credit card when
used with PayPal. How? All I saw up until now was virtual debit cards.

~~~
jotm
> Also the article states that Google Pay provides a virtual credit card when
> used with PayPal. How? All I saw up until now was virtual debit cards.

Naming confusion, I think. To some people (mostly Americans), credit and debit
cards are the same thing - just plastic payment cards. Some Europeans think
Visa/Mastercard can only be credit cards (they can be either credit or debit).

To me, the difference is that credit cards use the bank's/issuer's balance
(that you can pay back later, all at once or spread out in smaller monthly
payments), while debit cards use your bank account balance directly. I think
that's the proper differentiation.

~~~
thescriptkiddie
For added confusion, credit and debit cards have different processing
networks, with the debit networks having much lower fees. And in the US at
least, virtually all debit cards can also be processed as credit if the store
doesn't accept debit directly (eg online payments). And while in Europe all
cards have PINs, in the US only debit cards have PINs, and running then as
credit allows you to bypass the PIN requirement.

------
AdmiralAsshat
Just as a PSA, it wasn't until I looked at one of these articles in the last
few days about PayPal that a screenshot showing how to enable 2FA demonstrated
that TOTP-based authenticator apps are now allowed. For the longest time,
PayPal was only allowing 2FA SMS after they chucked their old physical
security keys.

Anyone who's been stuck on SMS may wish to login and switch over to TOTP.

~~~
lxgr
I tried when they introduced that and gave up on it again: There is no way to
mark a device as trusted, and I'm certainly not opening my 2FA app for every
single login/payment.

Also, this is 2020, where is WebAuthN? That would at least make the constant
2FA a bit more bearable.

~~~
floatingatoll
How many times per year do you pay someone with PayPal?

~~~
smileybarry
Every single login asks for TOTP, and sessions expire very quickly. Even the
mobile app asks every time, even if you use some saved/authorized login method
like fingerprint login.

For someone who uses PayPal for most online payments this can be extremely
tedious.

~~~
floatingatoll
None of this is relevant to the question asked. I understand it’s all correct,
but it fails to answer the question of quantity over time presented.

~~~
smileybarry
In my previous comment:

> For someone who uses PayPal _for most online payments_ this can be extremely
> tedious.

To rephrase that: the quantity can range from "almost every online payment" to
"every online payment". If, like many people, you try to use PayPal for most
payments to avoid credit card info leakage, that means you need to answer a
TOTP challenge on every payment.

------
rwmurrayVT
Same first 7 with only 17 possible expiration dates? That's a recipe for
disaster right from the start.

------
ljoshua
So NFC reading of embedded card details is always on, regardless of whether
you are in "payments" mode or have the app open? Is that a PayPal flaw, or is
it an Android/NFC/Google Payments flaw?

~~~
Crosseye_Jack
> So NFC reading of embedded card details is always on

Apple have a similar option BUT they restrict its use to certain payment
terminals (for example it is only supposed by TfL in the UK) and can be
disabled if you want. Dunno if the data it exposes (in a physical read attack)
could be used for other payments.

> With Express Transit mode enabled, you don't have to validate with Face ID,
> Touch ID or your passcode when you pay for rides with Apple Pay on your
> iPhone and Apple Watch. And you don't need to wake or unlock your device, or
> open an app.

[https://support.apple.com/en-gb/HT209495](https://support.apple.com/en-
gb/HT209495)

~~~
ThePowerOfFuet
Express Transit mode is also disabled by default.

------
Samung
That's what you get for ignoring flawed security reports.

------
m-p-3
I guess I'll remove my linked cards and bank accounts for now. Not like I use
it much anyway.

------
bibinou
> Both issues appear linked to the way Google Pay is set up on a PayPal user’s
> account.

------
bilekas
Can we get a link with no paywall / adblocker ?

~~~
Samung
Here you go [https://archive.ph/vpS31](https://archive.ph/vpS31)

~~~
bilekas
Thanks!

------
stebann
#NOFREEBOUNTIES

------
forgotmyhnacc
PayPal is really bad with security. A friend of mine reported a CSRF attack
that an attacker could withdraw all the money out of a vemmo account (was
acquired by PayPal) if the victim visited the attackers website. It took them
several weeks to fix, and friend didn't receive any bug bounty.

