Hacker Newsnew | comments | show | ask | jobs | submit | boingy's comments login

I've seen this on quite a few websites that use paypal. If you have ever come across a site that has a 'You are now being redirected to Paypal, please wait' page inbetween the checkout and paypal then you will probably see something similar if you quickly hit ctrl+S.

It doesn't help that Paypal themselves (https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&conte...) have tutorials with lines like: <input type="hidden" name="amount" value="15.00">

-----


Some sites that use Paypal also have a form field for where to direct to upon successful purchase. Sometimes this page has a link to download the product you're meant to be purchasing.

-----


PayPal tell you to check when you get the payment confirmation through to check the checkout ID against your own records for what the transaction should have been, but I have fixed just such vulnerabilities in my work before.

-----


But when they redirect back, isn't easy to verify the transaction?

-----


They exploited the fact that people didn't change the default passwords on their voicemail (e.g. 1234) and so were able to access them remotely using the same system a legitimate user who needed to access their voicemail remotely would use.

-----


Not quite as bad but it is also possible to get a user's IP address just by sending them a friend request. This has been known about and exploited for months, possibly over a year. It's meant that high profile users of Skype on sites like youtube or twitch.tv have to keep their skype private and/or connect to it specifically with a proxy to avoid getting DDOSed

-----


Was it live streamed via justin.tv? I ask because I thought it automatically archived what was streamed as soon as the broadcaster goes offline.

-----


I checked, it wasn't.

-----


Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: