Question
http://auctionbytes.com/cab/abn/y06/m03/i24/s00
from the newsletter tonight:
A flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.
AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user. Adding a PayPal member's email address to the end of that specific PayPal URL causes a box to appear with that member's full name....
Answer
Good reporting, and it explains a recent trend. I trust that they (Auctionbytes) have reported the vulnerability to PayPal, and that they record how long they take to address it (which should be hours, not days).
Kind Regards, Kevin
Answer
This pisses me off so much. When I got the spoof email with my name, and forwarded it to them, paypal didn't even acknowledge that it was a spoof. When I contacted them by phone with my concern because there is NO way my name would come from anywhere other than ebay or paypal they kept insisting that I had to have done something stupid or had given it to some other site. Nope, no way...........if anything would make me close my paypal account, this would be it.
Answer
This is some serious sssshhhh***tttttt. I'll never click on email links again.
AuctionBytes has chosen not to include the URL in this article until PayPal has fixed the vulnerability, but you can see in the accompanying graphic a screenshot of the page that comes up after entering eBay CEO Meg Whitman's email address, meg*ebay.com. A test by AuctionBytes of 30 email addresses brought back real names of over 25 PayPal users.
http://auctionbytes.com/cab/abn/y06/m03/i24/s00
Thanks for sharing this information.
Answer
I got one of those emails from Paypal & I reported it.
They wrote back it was a phish -- 2 days later I received EXACTLY the SAME email AGAIN!!
so much for "reporting it" -- it did a h3ll of a lot of good! NOT
GRRRR
Answer
I got my first "full name" Paypal spoof at least 2 months ago .....scared me to death!
Paypal acknowleged that it had not come from them, the usual form letter, (after I had come to the boards in panic, and nobody seemed to know how it had happened, but I was not alone. Others had been receiving them at that time too. )
Since then, there has been sporadic board-discussion in a few places, that says that it may be an inside job. I haven't had one since. I changed my password immediately.
Needless to say, there wasn't any personal reply to my concerned e-mail to Paypal, in which I asked how it was posible to get my full name.
Most Paypal spoofs (99.99%) hit my virus-and-spambox immediately, and I never even receive them. This got through!
Thanks to this and a couple of other OA boards, if something seems fishy or improbable, I never click on the links, but go to Paypal e.g. to see what the ** transaction is/was they're referring to. But I'm a small-time seller these days. Someone with real volume may not be so vigilant after being lulled into the Paypal mantra of "We always use your real name".
Nasty.
Answer
They still have not fixed that. Man its been that way for about two years now.
Answer
How in the world can they let that exist for days, let alone months or years? I never click on links but I really did think that one email I got looked real. I mean if you reference our entire, correct, corporate name and paypal has said that's one way you'll know a real email, makes you wonder.
spoof*paypal.com immediately labelled it phish so I didn't worry about it any more except to strengthen my resolve to never click on anything in an email.
Maryanne
Answer
Originally Posted by 10x
They still have not fixed that. Man its been that way for about two years now.
eBay is like that...they have lax site security, don't fix problems when they're alerted to security flaws in their site, and then blame the users:
A copy and paste of one of my posts from elsewhere with some updated information:
================================================== ==================================
Oh, look at this, PayPal apologizes for any heightened level of concern : No reason given why that page was there in the first place, and no indication given that PayPal will accept liability for any losses people suffered as a result of an internal PayPal security problem.
Originally Posted by kristin*paypal.com
kristin*paypal.com View Listings | Report Mar-25-06 17:00 PST 11 of 18
The information noted in the above article has been resolved. We apologize for any heightened level of concern.
As we all know Phishing/Spoofing is a serious industry-wide issue, and we strongly recommend that community members be on the lookout for suspicious emails and avoid responding to emails that ask for your personal information (even if the email looks like it is coming from a reputable source). We encourage you to forward any suspicious emails that request personal information to spoof*paypal.com or spoof*ebay.com. These reports are an important part of our efforts to protect the community.
http://forums.ebay.com/db2/thread.js...50882&tstart=0
According to a story linked to on that thread, eBay and PayPal both knew last year it was possible for outsiders to obtain users real names and yet failed to alert their users to the problem and did nothing to fix the problem until today.
Auctionbytes has issued a press release:
Originally Posted by auctionbytes
For over a year scammers and phishers may have been using a PayPal security flaw to obtain the full names of PayPal® users.
http://www.newswiretoday.com/news/4479/
The original eWeek article from January 24, 2005:
Originally Posted by eWeek 1/24/2005
PayPal E-Mail Leak Brings Phishing Worries
Electronic payment provider PayPal Inc. on Monday confirmed that a security breach at a partner site left an unknown number of e-mail addresses exposed on the Internet.
The eBay-owned company, which has been a major target for phishing attacks, said the security breach occurred at Benchmark Portal, a third-party company that handles customer-survey e-mails and exposed a "limited number of user e-mail addresses."
Word of the data leakage first surfaced on security message boards over the weekend and pointed to an apparent bug in the software used to manage "unsubscribe" requests from PayPal users.
eWEEK.com was able to verify that certain readily available URLs could be manually manipulated to show e-mail addresses of PayPal users who recently unsubscribed from customer-service surveys.
full article: http://www.eweek.com/article2/0,1895,1754013,00.asp
This isn't the first time that eBay/PayPal has known of a security flaw on its sites and ignored the problem. eBay was warned of the flaw that allowed phishers to place malicious javascript directly in listings 1 year before the flaw made headlines when it was exploited by several phishers last fall. Both eBay and LiveWorld knew of a serious security hole in LiveWorld's forum software in 2004 that allowed phishers to obtain users account info and yet took months to fix the problem.
eBay gets an F for security...and its attempts to blame its users are laughable. :angryfire:
================================================== =============================
This article from Jan 2005 is interesting reading too. Last fall (Nov/Dec 2005) this hole was exploited when phishers placed malicious javascript directly in auction listings on the eBay site. eBay had known about the possibility for such an attack for over a year and had done nothing.
http://www.gulftech.org/?node=resear...00064-01042005
The LiveWorld eBay Forums hole that eBay/LiveWorld took months to fix:
http://www.securitytracker.com/alert...g/1011036.html
Answer
Follow Up article by Auctionbytes.
The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."
Looks like PayPalDamon has taught PayPalAmanda the fine art of non-answers very well.
Kevin