

(debunked) PayPal vulnerability allows access to any account within 30 seconds - dwynings
http://thenextweb.com/industry/2011/06/16/paypal-vulnerability-allows-access-to-any-account-within-30-seconds/

======
arn
Appears this is a non-issue. For those who have been following. Matt Langley
(the person who "discovered" the issue) has been posting updates here:

[http://namesake.com/conversation/mattlangley/i-just-
accident...](http://namesake.com/conversation/mattlangley/i-just-accidental-
hacked-paypal-it-took-30-seconds-and-i-had-total-access-to-someone-elses-
account-im-shocked-what-does-the-community-think-of-the-total-lack-of-
security-measurer-used-by-paypal-basically-they-gave-me-access-to-someones-
bank)

Relevant post:

 _"It seems that the 'victim' had opened an account using an email address of
mine, with extra characters thrown in, which Gmail ignores and accepts as the
same email address, so it was gmail which uncorrupted the email address and
sent the emails to me, not Paypal. I had previously reported an account set-up
with fraudulent email address to Paypal many times in the past, but only
yesterday noticed that the email address was different to mine, in a way which
on any other email system in the world would be a different email address._

 _Cheeky bugger. I'm gonna have to ask them to close it down or at least
change the email address._

 _but I guess I owe you all an apology"_ \- Matt Langley

edit: someone else posted this too.

so, some commentary. This should have been verified before posting, as it has
caused some trouble for people who delinked their account etc. That said, I
understand the rapid news cycle of blogging, though with something this
potentially serious, I would think it would need to be verified.

Side note, first time I'd seen Namesake and it's kinda cool. Wish I could
search.

~~~
andypants
When you sign up for a gmail address, all dot variations of the email address
belong to you. So if you have andzdroid@gmail.com, then emails to
andz.droid@gmail.com will also go to you, and a.n.d.z.d.r.o.i.d@gmail.com will
also go to you.

What happened to the OP is that somebody signed up using a variation of his
email. Obviously, if I signed up at paypal with YOUR email address, you'd
start receiving MY paypal emails.

There is no vulnerability. Only stupid people signing up with other peoples'
emails.

~~~
ja27
But there continue to be reports that GMail has some issues with the dots
where andzdroid@gmail.com and andz.droid@gmail.com can be two different
accounts:

[http://www.google.com/support/forum/p/gmail/thread?tid=60cbf...](http://www.google.com/support/forum/p/gmail/thread?tid=60cbf54a7bea10b0&hl=en)
[http://www.google.com/support/forum/p/gmail/thread?tid=2d9f3...](http://www.google.com/support/forum/p/gmail/thread?tid=2d9f38bf10a53893&hl=en)

~~~
mauriciob
This is just people that don't know how GMail works.

Quoting your first link:

> I receive internal business emails addressed to this other guy and when I
> email him back, it comes back to me.

It obviously will come back to him, because the guy is emailing himself.

------
redsymbol
I don't have any information about this other than what's in the article.
However, as a proactively paranoid precaution, I've chosen to temporarily de-
associate my company's bank account from its paypal account, just to make it
impossible for an attacker to drain those funds.

I know that if this does turn out to be a legit security issue, Paypal's
engineers will soon deploy a fix, after which I will just re-associate it.

The procedure is:

    
    
      1) log into your paypal account
      2) click "profile"
      3) Click on "My Money"; or if you don't see that, look for the subheading "Financial Information" and click "Bank accounts"
      4) You should see a link for the bank account; select it
      5) click "Remove"
      6) *confirm* on the next screen (be sure to click that "confirm remove" button)
      7) See the confirmation message
    

That's it. Depending on your Paypal balance, you may want to try transferring
funds into the account before dissociating. [EDIT: Or maybe not, sounds like
it could block the disassociation procedure - check the comments below.] I
don't know if you can do both in sequence quickly; fortunately our paypal
balance happened to be really low today.

~~~
dangrossman
I'm actually more afraid of delinking then relinking a bank account setting
off some kind of red flag at PayPal's risk department than losing the balance
of a bank account. PayPal's the preferred way to pay for millions of people,
losing access to it forever as a business may be worth more than my current
linked assets.

~~~
thaumaturgy
Man, I seriously hope I never find my business relying so heavily on another
business that I mistrust that much. That would keep me awake at night.

~~~
dangrossman
Oh it does. And it always happens when you least expect it. I had my main
source of income disappear overnight twice.

Once was when 5 chargebacks came in on one day early in a month from a set of
5 credit card payments made by a single scammer; that put my account over some
chargeback percentage level allowed by my merchant account provider and they
terminated me on the spot after years of service. I had to ask dozens of
customers with monthly subscriptions to sign up again with another payment
provider, not all of them did.

The second time Google decided it would no longer allow AdWords ads for an
entire category of (perfectly legal, non-scammy) services and suspended all
ads in that category, including mine. Overnight my largest source of customers
is gone and is never coming back. There's still Bing/Yahoo! but nobody quite
matches the reach of Google for online advertising.

At this point I plan backups for the loss of every possible business
relationship just to keep myself sane... while praying I never have to switch
to the backups because there's obviously a reason they're the backup and not
the primary.

------
zemaj
Updated. Doesn't looks like a huge issue, although obviously needs to be
fixed;

"It seems that the 'victim' had opened an account using an email address of
mine, with extra characters thrown in, which Gmail ignores and accepts as the
same email address, so it was gmail which uncorrupted the email address and
sent the emails to me, not Paypal. I had previously reported an account set-up
with fraudulent email address to Paypal many times in the past, but only
yesterday noticed that the email address was different to mine, in a way which
on any other email system in the world would be a different email address."

From [http://namesake.com/conversation/mattlangley/i-just-
accident...](http://namesake.com/conversation/mattlangley/i-just-accidental-
hacked-paypal-it-took-30-seconds-and-i-had-total-access-to-someone-elses-
account-im-shocked-what-does-the-community-think-of-the-total-lack-of-
security-measurer-used-by-paypal-basically-they-gave-me-access-to-someones-
bank)

------
dangrossman
Mr. Langley posted screenshots and additional information on Namesake earlier
today:

[http://namesake.com/conversation/mattlangley/i-just-
accident...](http://namesake.com/conversation/mattlangley/i-just-accidental-
hacked-paypal-it-took-30-seconds-and-i-had-total-access-to-someone-elses-
account-im-shocked-what-does-the-community-think-of-the-total-lack-of-
security-measurer-used-by-paypal-basically-they-gave-me-access-to-someones-
bank)

Among other interesting tidbits: "All users are potentially vulnerable, but
users of free email services are the most vulnerable, for reasons that I won't
divulge until Paypal have fixed it."

~~~
caf
That implies that it's easier to get the password change email sent to an
address with a different local part at the same domain than to a completely
different domain.

~~~
jfriedly
He also noted:

    
    
      @Alex Khomenko told me in another place, that there may be
      a secondary authentication on password changes from the
      forgotten password link, in the US PayPal. If true and
      currently in place this would mean that the US is not
      vulnerable, although they may still have the email bug
    

He said he doesn't use PayPal himself and that he only requested a change
password link when he was trying to contact them about "effective spam".
Perhaps he supplied them with one of his email addresses and it happened to
have a counterpart at a different subdomain (like example@email.com vs
example@email.com.au)?

EDIT: Formatting.

------
ssclafani
For US accounts, PayPal requires a person to verify the security question on
the account if one was set or the credit/debit card number before being able
to change the password.

------
muppetman
This is rather scary.

Surely my bank would notify me though if my credit card started getting
hammered. I don't suppose I'm the target thieves would be looking for though,
it'd be those with large balances sitting in their account.

The article is rather light on details though, I wonder just how true it
really is. That said, they have nothing to gain (other than impressions) for
running it.

------
yeahsure
It would be great if the article had a proof of concept (or at least a more
detailed explanation). I don't feel like doing it myself to verify if it's
true, and put my account at risk at the same time.

~~~
zbanks
There's no reason to publicly describe the attack. Even if you weren't
planning on being evil, it would be incredibly easy to abuse.

------
zeedotme
This is Zee from The Next Web. Just woken up to this and have personally
spoken to Matt Langley the person in question who - after some convincing -
explained the entire process to me.

It is indeed not a massive security vulnerability but a much smaller one.
We're updating our piece as we speak and can only apologise that we published
before being absolutely sure of the level of the treat.

------
d_r
At least no one can say that PayPal is ever lax on security. This
vulnerability, if it exists, could be more of an honest developer mistake.

I was recently travelling abroad, and decided to buy Glyphish icons to finish
an app I was working on. This proved to be tough. Upon logging in to my PayPal
account, I got locked out.

"We want to check with you to make sure that no one has logged in to your
account without your permission."

My account now states that it is "limited" and has some drivel about me having
to send my driver license/passport/etc. copies to re-enable my account. I
understand that this is all in the name of security, but really, I wish they
didn't use such heavy-handed one-size-fits-all measures.

------
zeedotme
So this is the gist...There is a small vulnerability because Gmail allows you
to include dots in your email address, it essentially allows anyone to create
multiple Paypal accounts with the same email address because Paypal recognises
the inclusion of a dot as a separate email address entirely. It's seems like a
flaw but not a massive security vulnerability.

Also Paypal also doesn't appear to verify email addresses on registration so
anyone can create multiple accounts for the same person without any need to
click a confirmation link in a verification email. Again, a flaw but not a
massive security vulnerability as far as we can tell.

~~~
andypants
It's not true and it's not a 'vulnerability'.

When you sign up for a gmail address, all dot variations of the email address
belong to you. So if you have andzdroid@gmail.com, then emails to
andz.droid@gmail.com will also go to you, and a.n.d.z.d.r.o.i.d@gmail.com will
also go to you.

What happened to the OP is that somebody signed up using a variation of his
email. Obviously, if I signed up at paypal with YOUR email address, you'd
start receiving MY paypal emails.

There is no vulnerability. Only stupid people signing up with other peoples'
emails.

------
khomenko
Next time you _think_ you discovered a gigantic easily exploitable security
hole in a mature service that has been around for 10+ years, please think
again and research it a lot more before you make a fuss about it. It's
possible, of course - but not very damn _likely_. It's much more likely you
are confused. I tried to tell Matt Langley that yesterday on Quora, but he
didn't quite buy it, and now he's drinking one big mug of mea culpa. Hopefully
this thing will blow over soon, but as a former employee it pains me to see
PayPal having to debunk this in social media this morning.

------
topbanana
Update: "It seems that the 'victim' had opened an account using an email
address of mine, with extra characters thrown in, which Gmail ignores and
accepts as the same email address, so it was gmail which uncorrupted the email
address and sent the emails to me, not Paypal. I had previously reported an
account set-up with fraudulent email address to Paypal many times in the past,
but only yesterday noticed that the email address was different to mine, in a
way which on any other email system in the world would be a different email
address."

------
moeffju
Seeing how he and the guy he hacked are both on gmail, I would guess that this
might be a case of "mjfoo is the same as m.j.foo", or a gmail account that had
been deleted before, but is still associated with a Paypal account. Paypal
exist because of fraud detection and working security. If they had singe
stupid bug like unescaped wildcards or something, that would be quite a shadow
cast on their one main selling point.

------
sanxiyn
I suspect it may have to do with RFC 822 arcana. There are a lot of ways to
encode the same email address.

------
crag
Just how serious is this? Is this just some guy who stumbled on a hack and
can't repeat it? Or is this some fundamental flaw in Paypals security.

In other words, do I need to worry about my Paypal account? My account is link
to a checking account and cc.

------
BasDirks
Mind changing the title of this thread?

------
mukyu
The post has been updated to state that this was debunked, though there are no
details.

------
VladRussian
may be using that exploit i'd finally be able to get back access to my account
that i set up with my previous work email address and forgot to update before
i left the company and lost the access to the email address.

~~~
noonespecial
Heh. You should suggest that to paypal's tech support so we can get a bugfix
in faster. They might care a great deal more about you getting your stranded
money back than crackers stealing users cash...

------
ltamake
Well done, PayPal. Well done. The one thing that I don't need compromised...
:(

------
mikemaccana
NOTE: According to the source, this has now been debunked.

------
MattLangley
Don't Panic!

~~~
MattLangley
Having slept on it, I would like to point out that I did gain complete control
of someone else's account, viewed their personal information, and could have
conducted transactions against any credit card or bank details they had set-
up.

The reason its a non-issue is that this only happened because they set up the
account with an email address they did not control, but that only became
apparent later by which time this has got away from me.

------
kahawe
Well, at least Mr Francis Tan and thenextweb.com won't have to worry about
their accounts' safety anymore... since they will definitely get frozen ASAP.

------
zheng
Seems to be fixed, if not I'm missing something and need to wipe my account.
Can anyone verify?

~~~
dangrossman
How do you know if this is fixed or not? The article didn't provide any
details about the exploit beyond saying there's a bug in the e-mail system for
password recovery.

~~~
zheng
Well, the article said "any paypal account", and I can't get it to send a
reset token to an unauthorized email, so at the least it seems that either the
claim was wrong, or they fixed it.

~~~
noonespecial
"It’s a bug in their email system that _corrupts_ email addresses."

If you submit just the right from data you can probably corrupt the address in
a predictable way. I don't think they mean just entering in a bogus address
somewhere.

~~~
MattLangley
Yup, nail on the head. And this post scared the begeezes out of me, because it
was so close. You had me on the phone to Paypal Australia within seconds. Cost
me a fortune.

Luckily, I was completely wrong, and all is well. Sorry for anyone who
panicked. I wasn't expecting it to get published so quickly without further
discussion. I didn't even provide the screen shots at that time. It's all
rather embarrassing. Mr Zee Kane took charge when he woke up and we worked
through it once I got some key movers to endorse him. I didn't want to spread
the apparent weakness to those who might take advantage of it. I was hasty in
following advise to make it more widely known, and they were hasty to publish
straight away without further discussion.

The account I was given access to was set-up against an email synonym I didn't
know about, and Paypal never bothered to verify the email address. It's not my
account though, someone else's name, address, and other details. A bit
nefarious but not a security issue unless you plan to open a account with
someone else's email address. Now, I'm not sure who's the hacker and who's the
victim! I plan to request that Paypal disable the account, or at least remove
my email from it, and if they refuse I will change the email myself.

