

Why does PayPal have so many bugs and security issues? - marco1

I don&#x27;t know a single big player on the web that has similar amounts of bugs and security issues as PayPal -- not even close. Why is that?<p>* They have issues with their sign-in window opening in a pop-up&#x2F;dialog instead of a new tab&#x2F;window. [1]<p>* When I received money in a foreign currency recently, it didn&#x27;t appear in my PayPal dashboard. I had to talk to three PayPal employees on the phone support before the fourth told me this was apparently a bug. All my settings were correct but I had to add an additional balance in the foreign currency, temporarily, to receive the money. Actually, I should be asked what to do with the foreign-currency amount (create new balance, convert, etc.).<p>* I&#x27;m using two-factor authentication and it&#x27;s just annoying: On their main site, I can sign in, that&#x27;s fine. On other pages, they just ask me for the 2FA token from my token generator (which I don&#x27;t have) and don&#x27;t offer the SMS verification which should be there, too. Somestimes I have to disable 2FA completely before I can perform certain actions.<p>* Until a few days ago, you could capture CSRF tokens that were valid for <i>all</i> accounts, not just your own. [2]<p>* They have XSS vulnerabilities from time to time. Okay, lots of sites have those. If you don&#x27;t escape by default, this can happen, although it shouldn&#x27;t. [3][4]<p>I know, big legacy code base. But other companies have similar challenges. PayPal wants to work with your money, they should be <i>as least as</i> good as Twitter, Facebook, Github, and hundreds of other sites that work better.<p>[1] http:&#x2F;&#x2F;homakov.blogspot.de&#x2F;2014&#x2F;12&#x2F;new-paypal-gateway-ui-is-disaster.html
[2] http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2014&#x2F;12&#x2F;04&#x2F;paypal_csrf_bug_bounty&#x2F;
[3] https:&#x2F;&#x2F;nakedsecurity.sophos.com&#x2F;2013&#x2F;05&#x2F;29&#x2F;paypal-refuses-to-pay-bug-finding-teen&#x2F;
[4] http:&#x2F;&#x2F;www.forbes.com&#x2F;sites&#x2F;firewall&#x2F;2010&#x2F;10&#x2F;06&#x2F;hackable-bug-found-on-paypal-com&#x2F;
======
debacle
* PayPal is the most comprehensive payment integration solution on the Internet. That brings a lot of complexity.

* They also make money on relatively low fees. That requires good cost controls.

* They're no longer a prestigious company to work at. They pay a bit higher than standard because it's harder to recruit talent.

* Once you get to a certain size and complexity, especially in the financial world, changing things becomes terrifying.

------
MalcolmDiggs
I've wondered this myself.

My hunch is that an unusually large amount of the their talent/engineering
resources are tied up fighting fraud and abuse...leaving a skeleton crew to do
all things front-end.

Again, just a hunch though.

------
yuhong
I remember the days when David Marcus was the CEO, then he left the company,
and now they are finally planning a break-up from eBay.

------
striking
Two reasons, to me:

* "Move fast and break things" mentality that made it big is now making it bad

* Peter Thiel isn't as much of a genius as he thinks he is (although he is pretty smart in some respects, sometimes he's completely wrong, akin to some modern-day Aristotle) and the attitude of the founders of a company creates the culture as it grows

~~~
marco1
The first may definitely be true, i.e. their legacy code base may be a heavier
burden that some other companies'.

Don't know about Peter Thiel, if there's still influence on today's work.
Anyway, it's mostly programming, implementation, craftsmanship which seems to
be so bad.

