"It seems that the 'victim' had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address.
Cheeky bugger. I'm gonna have to ask them to close it down or at least change the email address.
but I guess I owe you all an apology" - Matt Langley
edit: someone else posted this too.
so, some commentary. This should have been verified before posting, as it has caused some trouble for people who delinked their account etc. That said, I understand the rapid news cycle of blogging, though with something this potentially serious, I would think it would need to be verified.
Side note, first time I'd seen Namesake and it's kinda cool. Wish I could search.
What happened to the OP is that somebody signed up using a variation of his email. Obviously, if I signed up at paypal with YOUR email address, you'd start receiving MY paypal emails.
There is no vulnerability. Only stupid people signing up with other peoples' emails.
Quoting your first link:
> I receive internal business emails addressed to this other guy and when I email him back, it comes back to me.
It obviously will come back to him, because the guy is emailing himself.
Almost all other sites do this. It's simple best practice and it stops them spamming third parties.
Twitter and Facebook both do.
> Side note, first time I'd seen Namesake and it's kinda cool.
This reminds me of convore. Does anyone know who was first?
I know that if this does turn out to be a legit security issue, Paypal's engineers will soon deploy a fix, after which I will just re-associate it.
The procedure is:
1) log into your paypal account
2) click "profile"
3) Click on "My Money"; or if you don't see that, look for the subheading "Financial Information" and click "Bank accounts"
4) You should see a link for the bank account; select it
5) click "Remove"
6) *confirm* on the next screen (be sure to click that "confirm remove" button)
7) See the confirmation message
Once was when 5 chargebacks came in on one day early in a month from a set of 5 credit card payments made by a single scammer; that put my account over some chargeback percentage level allowed by my merchant account provider and they terminated me on the spot after years of service. I had to ask dozens of customers with monthly subscriptions to sign up again with another payment provider, not all of them did.
The second time Google decided it would no longer allow AdWords ads for an entire category of (perfectly legal, non-scammy) services and suspended all ads in that category, including mine. Overnight my largest source of customers is gone and is never coming back. There's still Bing/Yahoo! but nobody quite matches the reach of Google for online advertising.
At this point I plan backups for the loss of every possible business relationship just to keep myself sane... while praying I never have to switch to the backups because there's obviously a reason they're the backup and not the primary.
I was always more afraid of paypal itself being able to get at the mandatory associated bank account so we created a special account just to link to paypal. Its kept mostly empty most of the time.
It was hell-and-a-half to get the bank to turn off the "overdraft protection" on the account.
"It seems that the 'victim' had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address."
Among other interesting tidbits: "All users are potentially vulnerable, but users of free email services are the most vulnerable, for reasons that I won't divulge until Paypal have fixed it."
@Alex Khomenko told me in another place, that there may be
a secondary authentication on password changes from the
forgotten password link, in the US PayPal. If true and
currently in place this would mean that the US is not
vulnerable, although they may still have the email bug
Surely my bank would notify me though if my credit card started getting hammered. I don't suppose I'm the target thieves would be looking for though, it'd be those with large balances sitting in their account.
The article is rather light on details though, I wonder just how true it really is. That said, they have nothing to gain (other than impressions) for running it.
It is indeed not a massive security vulnerability but a much smaller one. We're updating our piece as we speak and can only apologise that we published before being absolutely sure of the level of the treat.
I was recently travelling abroad, and decided to buy Glyphish icons to finish an app I was working on. This proved to be tough. Upon logging in to my PayPal account, I got locked out.
"We want to check with you to make sure that no one has logged in to your account without your permission."
My account now states that it is "limited" and has some drivel about me having to send my driver license/passport/etc. copies to re-enable my account. I understand that this is all in the name of security, but really, I wish they didn't use such heavy-handed one-size-fits-all measures.
Also Paypal also doesn't appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability as far as we can tell.
When you sign up for a gmail address, all dot variations of the email address belong to you. So if you have email@example.com, then emails to firstname.lastname@example.org will also go to you, and email@example.com will also go to you.
In other words, do I need to worry about my Paypal account? My account is link to a checking account and cc.
The reason its a non-issue is that this only happened because they set up the account with an email address they did not control, but that only became apparent later by which time this has got away from me.
Just because you can't do it doesn't mean it is fixed.
If you submit just the right from data you can probably corrupt the address in a predictable way. I don't think they mean just entering in a bogus address somewhere.
Luckily, I was completely wrong, and all is well. Sorry for anyone who panicked. I wasn't expecting it to get published so quickly without further discussion. I didn't even provide the screen shots at that time. It's all rather embarrassing. Mr Zee Kane took charge when he woke up and we worked through it once I got some key movers to endorse him. I didn't want to spread the apparent weakness to those who might take advantage of it. I was hasty in following advise to make it more widely known, and they were hasty to publish straight away without further discussion.
The account I was given access to was set-up against an email synonym I didn't know about, and Paypal never bothered to verify the email address. It's not my account though, someone else's name, address, and other details. A bit nefarious but not a security issue unless you plan to open a account with someone else's email address. Now, I'm not sure who's the hacker and who's the victim! I plan to request that Paypal disable the account, or at least remove my email from it, and if they refuse I will change the email myself.