Hacker News new | past | comments | ask | show | jobs | submit login
(debunked) PayPal vulnerability allows access to any account within 30 seconds (thenextweb.com)
142 points by dwynings on June 16, 2011 | hide | past | favorite | 53 comments



Appears this is a non-issue. For those who have been following. Matt Langley (the person who "discovered" the issue) has been posting updates here:

http://namesake.com/conversation/mattlangley/i-just-accident...

Relevant post:

"It seems that the 'victim' had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address.

Cheeky bugger. I'm gonna have to ask them to close it down or at least change the email address.

but I guess I owe you all an apology" - Matt Langley

edit: someone else posted this too.

so, some commentary. This should have been verified before posting, as it has caused some trouble for people who delinked their account etc. That said, I understand the rapid news cycle of blogging, though with something this potentially serious, I would think it would need to be verified.

Side note, first time I'd seen Namesake and it's kinda cool. Wish I could search.


When you sign up for a gmail address, all dot variations of the email address belong to you. So if you have andzdroid@gmail.com, then emails to andz.droid@gmail.com will also go to you, and a.n.d.z.d.r.o.i.d@gmail.com will also go to you.

What happened to the OP is that somebody signed up using a variation of his email. Obviously, if I signed up at paypal with YOUR email address, you'd start receiving MY paypal emails.

There is no vulnerability. Only stupid people signing up with other peoples' emails.


But there continue to be reports that GMail has some issues with the dots where andzdroid@gmail.com and andz.droid@gmail.com can be two different accounts:

http://www.google.com/support/forum/p/gmail/thread?tid=60cbf... http://www.google.com/support/forum/p/gmail/thread?tid=2d9f3...


This is just people that don't know how GMail works.

Quoting your first link:

> I receive internal business emails addressed to this other guy and when I email him back, it comes back to me.

It obviously will come back to him, because the guy is emailing himself.


You can also tack on a +<anything> to your gmail. So if you have example@gmail, you also own example+foo@gmail, example+bar@gmail, and so on.


he's receiving emails from a fraudulent account that was set up with his email address but with a "." in it. I can't see the vulnerability there but it is important to point out. Paypal should be aware that Gmail allows it. I just created 3 different paypal accounts with the three different email addresses that only differ by the position of the dot.


Yup. More importantly, they should verify email addresses at registration time and delete accounts which don't get verified.

Almost all other sites do this. It's simple best practice and it stops them spamming third parties.


I'm surprised PayPal doesn't already do this. (My account is years old, so I don't know their current practices for creating new accounts).

Twitter and Facebook both do.


Yup, that's about the size of it.


completely OT:

> Side note, first time I'd seen Namesake and it's kinda cool.

This reminds me of convore. Does anyone know who was first?


Namesake is indeed kinda cool. I created an entry for a separate discussion:

http://news.ycombinator.com/item?id=2661165


I don't have any information about this other than what's in the article. However, as a proactively paranoid precaution, I've chosen to temporarily de-associate my company's bank account from its paypal account, just to make it impossible for an attacker to drain those funds.

I know that if this does turn out to be a legit security issue, Paypal's engineers will soon deploy a fix, after which I will just re-associate it.

The procedure is:

  1) log into your paypal account
  2) click "profile"
  3) Click on "My Money"; or if you don't see that, look for the subheading "Financial Information" and click "Bank accounts"
  4) You should see a link for the bank account; select it
  5) click "Remove"
  6) *confirm* on the next screen (be sure to click that "confirm remove" button)
  7) See the confirmation message
That's it. Depending on your Paypal balance, you may want to try transferring funds into the account before dissociating. [EDIT: Or maybe not, sounds like it could block the disassociation procedure - check the comments below.] I don't know if you can do both in sequence quickly; fortunately our paypal balance happened to be really low today.


It won't let me do this at the moment because a withdrawal is already pending.


I'm actually more afraid of delinking then relinking a bank account setting off some kind of red flag at PayPal's risk department than losing the balance of a bank account. PayPal's the preferred way to pay for millions of people, losing access to it forever as a business may be worth more than my current linked assets.


Man, I seriously hope I never find my business relying so heavily on another business that I mistrust that much. That would keep me awake at night.


Oh it does. And it always happens when you least expect it. I had my main source of income disappear overnight twice.

Once was when 5 chargebacks came in on one day early in a month from a set of 5 credit card payments made by a single scammer; that put my account over some chargeback percentage level allowed by my merchant account provider and they terminated me on the spot after years of service. I had to ask dozens of customers with monthly subscriptions to sign up again with another payment provider, not all of them did.

The second time Google decided it would no longer allow AdWords ads for an entire category of (perfectly legal, non-scammy) services and suspended all ads in that category, including mine. Overnight my largest source of customers is gone and is never coming back. There's still Bing/Yahoo! but nobody quite matches the reach of Google for online advertising.

At this point I plan backups for the loss of every possible business relationship just to keep myself sane... while praying I never have to switch to the backups because there's obviously a reason they're the backup and not the primary.


This seems prudent. From what I can see in our account, its a single passwordless click to empty the associated account into the paypal once you have the paypal password. (probably right up to the limit of the so-called "overdraft protection" on the bank account)

I was always more afraid of paypal itself being able to get at the mandatory associated bank account so we created a special account just to link to paypal. Its kept mostly empty most of the time.

It was hell-and-a-half to get the bank to turn off the "overdraft protection" on the account.


I just did this, but it tells me they cannot close the account because there's a transaction open. I bought a domain yesterday. This is with the German paypal, and a German bank, which are known to be the among the most retrograde and cumbersome. Does anyone have a workaround?


Is there a way of having one's account completely deleted from paypal by request? Through the support website? I only found a link for "close account" and I cannot use it since my account has been "limited" and I have no interest in sending paypal even more of my personal information like copy of passport and what not.


Updated. Doesn't looks like a huge issue, although obviously needs to be fixed;

"It seems that the 'victim' had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address."

From http://namesake.com/conversation/mattlangley/i-just-accident...


For US accounts, PayPal requires a person to verify the security question on the account if one was set or the credit/debit card number before being able to change the password.


Mr. Langley posted screenshots and additional information on Namesake earlier today:

http://namesake.com/conversation/mattlangley/i-just-accident...

Among other interesting tidbits: "All users are potentially vulnerable, but users of free email services are the most vulnerable, for reasons that I won't divulge until Paypal have fixed it."


That implies that it's easier to get the password change email sent to an address with a different local part at the same domain than to a completely different domain.


He also noted:

  @Alex Khomenko told me in another place, that there may be
  a secondary authentication on password changes from the
  forgotten password link, in the US PayPal. If true and
  currently in place this would mean that the US is not
  vulnerable, although they may still have the email bug
He said he doesn't use PayPal himself and that he only requested a change password link when he was trying to contact them about "effective spam". Perhaps he supplied them with one of his email addresses and it happened to have a counterpart at a different subdomain (like example@email.com vs example@email.com.au)?

EDIT: Formatting.


The opening statement (and URL) of this post is rather interesting: "I just accidental hacked PayPal" followed by "it took 30 seconds and I had total access to someone else's account".


This is rather scary.

Surely my bank would notify me though if my credit card started getting hammered. I don't suppose I'm the target thieves would be looking for though, it'd be those with large balances sitting in their account.

The article is rather light on details though, I wonder just how true it really is. That said, they have nothing to gain (other than impressions) for running it.


It would be great if the article had a proof of concept (or at least a more detailed explanation). I don't feel like doing it myself to verify if it's true, and put my account at risk at the same time.


There's no reason to publicly describe the attack. Even if you weren't planning on being evil, it would be incredibly easy to abuse.


This is Zee from The Next Web. Just woken up to this and have personally spoken to Matt Langley the person in question who - after some convincing - explained the entire process to me.

It is indeed not a massive security vulnerability but a much smaller one. We're updating our piece as we speak and can only apologise that we published before being absolutely sure of the level of the treat.


At least no one can say that PayPal is ever lax on security. This vulnerability, if it exists, could be more of an honest developer mistake.

I was recently travelling abroad, and decided to buy Glyphish icons to finish an app I was working on. This proved to be tough. Upon logging in to my PayPal account, I got locked out.

"We want to check with you to make sure that no one has logged in to your account without your permission."

My account now states that it is "limited" and has some drivel about me having to send my driver license/passport/etc. copies to re-enable my account. I understand that this is all in the name of security, but really, I wish they didn't use such heavy-handed one-size-fits-all measures.


So this is the gist...There is a small vulnerability because Gmail allows you to include dots in your email address, it essentially allows anyone to create multiple Paypal accounts with the same email address because Paypal recognises the inclusion of a dot as a separate email address entirely. It's seems like a flaw but not a massive security vulnerability.

Also Paypal also doesn't appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability as far as we can tell.


It's not true and it's not a 'vulnerability'.

When you sign up for a gmail address, all dot variations of the email address belong to you. So if you have andzdroid@gmail.com, then emails to andz.droid@gmail.com will also go to you, and a.n.d.z.d.r.o.i.d@gmail.com will also go to you.

What happened to the OP is that somebody signed up using a variation of his email. Obviously, if I signed up at paypal with YOUR email address, you'd start receiving MY paypal emails.

There is no vulnerability. Only stupid people signing up with other peoples' emails.


Next time you think you discovered a gigantic easily exploitable security hole in a mature service that has been around for 10+ years, please think again and research it a lot more before you make a fuss about it. It's possible, of course - but not very damn likely. It's much more likely you are confused. I tried to tell Matt Langley that yesterday on Quora, but he didn't quite buy it, and now he's drinking one big mug of mea culpa. Hopefully this thing will blow over soon, but as a former employee it pains me to see PayPal having to debunk this in social media this morning.


Update: "It seems that the 'victim' had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address."


Seeing how he and the guy he hacked are both on gmail, I would guess that this might be a case of "mjfoo is the same as m.j.foo", or a gmail account that had been deleted before, but is still associated with a Paypal account. Paypal exist because of fraud detection and working security. If they had singe stupid bug like unescaped wildcards or something, that would be quite a shadow cast on their one main selling point.


I suspect it may have to do with RFC 822 arcana. There are a lot of ways to encode the same email address.


Just how serious is this? Is this just some guy who stumbled on a hack and can't repeat it? Or is this some fundamental flaw in Paypals security.

In other words, do I need to worry about my Paypal account? My account is link to a checking account and cc.


Mind changing the title of this thread?


The post has been updated to state that this was debunked, though there are no details.


may be using that exploit i'd finally be able to get back access to my account that i set up with my previous work email address and forgot to update before i left the company and lost the access to the email address.


Heh. You should suggest that to paypal's tech support so we can get a bugfix in faster. They might care a great deal more about you getting your stranded money back than crackers stealing users cash...


Well done, PayPal. Well done. The one thing that I don't need compromised... :(


NOTE: According to the source, this has now been debunked.


Don't Panic!


Having slept on it, I would like to point out that I did gain complete control of someone else's account, viewed their personal information, and could have conducted transactions against any credit card or bank details they had set-up.

The reason its a non-issue is that this only happened because they set up the account with an email address they did not control, but that only became apparent later by which time this has got away from me.


Always wanted to say this. #silverlining


Well, at least Mr Francis Tan and thenextweb.com won't have to worry about their accounts' safety anymore... since they will definitely get frozen ASAP.


Seems to be fixed, if not I'm missing something and need to wipe my account. Can anyone verify?


How do you know if this is fixed or not? The article didn't provide any details about the exploit beyond saying there's a bug in the e-mail system for password recovery.


Well, the article said "any paypal account", and I can't get it to send a reset token to an unauthorized email, so at the least it seems that either the claim was wrong, or they fixed it.


It doesn't say how they are sending it to an unauthorized email, maybe their is some hidden value in the form that they are sending to allow it or something altogether different to get the reset email.

Just because you can't do it doesn't mean it is fixed.


"It’s a bug in their email system that corrupts email addresses."

If you submit just the right from data you can probably corrupt the address in a predictable way. I don't think they mean just entering in a bogus address somewhere.


Yup, nail on the head. And this post scared the begeezes out of me, because it was so close. You had me on the phone to Paypal Australia within seconds. Cost me a fortune.

Luckily, I was completely wrong, and all is well. Sorry for anyone who panicked. I wasn't expecting it to get published so quickly without further discussion. I didn't even provide the screen shots at that time. It's all rather embarrassing. Mr Zee Kane took charge when he woke up and we worked through it once I got some key movers to endorse him. I didn't want to spread the apparent weakness to those who might take advantage of it. I was hasty in following advise to make it more widely known, and they were hasty to publish straight away without further discussion.

The account I was given access to was set-up against an email synonym I didn't know about, and Paypal never bothered to verify the email address. It's not my account though, someone else's name, address, and other details. A bit nefarious but not a security issue unless you plan to open a account with someone else's email address. Now, I'm not sure who's the hacker and who's the victim! I plan to request that Paypal disable the account, or at least remove my email from it, and if they refuse I will change the email myself.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: