Question
A serious privacy/security issue has been found in the OPT OUT link embedded in emails originating from BenchmarkPortal.com relating to PayPal customer satisfaction surveys. I believe the problem is with BenchmarkPortal and not PayPal itself although this breach concerns them specifically. In particular, if you've ever contacted PayPal for some reason you have probably received a follow-up email to rate their customer service. This follow-up email originates from Benchmark, the CRM company used by PayPal/eBay, and contains an Opt Out link to prevent one from receiving any more of these emails. The security breach is with the Opt Out URL which can be manipulated to show other Opt Out PayPal customer's email addresses.
I don't know if this applies only to PayPal's customer service follow-up emails or if it also applies to the Opt Out links found in ALL of their email correspondence. EBay also uses Benchmark for customer satisfaction ratings but I don't know if these are vulnerable as well since I don't have one to check.
This is a huge security breach and I'm sure it's going to be in the mainline news very soon because it's already under discussion in a few of my security newsgroups. I experimented with the URL by changing the numbers and was able to get 25 addresses in about two minutes. I'm sure someone can or already has written a script to automate the process of gathering these email addies. This may even be the way many of the phishers find their victims.
The post made by the person who first discovered the problem specifically mentioned the Opt Out link in PayPal's customer service rating email but the NeoWin post below seems to be including ALL of PayPal's Opt Out email links. I can't verify that because I don't have a PayPal email to test but I can tell you that the statement made by the original source is absolutely correct.
http://www.neowin.net/comments.php?i...&category=main
Windows enthusiast site, MSFN.org, have highlighted a rather serious problem with PayPal's email removal feature.
Most emails sent from corporations have "removal" links to comply with anti-spam legislation in the USA. On clicking the link sent out by PayPal, users can remove themselves from future mailings from the company. However, the system used to do this suffers from a lack of proper input validation and security. By changing elements of the URL, a malicious user can reveal other PayPal user's email addresses. The problem exposes a serious flaw in the system.
The potential for damage is serious; ever inventive spammers already harvest email addresses from websites on a massive scale and it would take only the most basic of tools to gain a large list of PayPal email addresses. Exactly how exposed PayPal have left their users is not yet known. Neowin was able to manually gain the email addresses of 20 users within 5 minutes. Interestingly, although it's possible to unsubscribe a user, PayPal still hold their email address on file. So far, PayPal have not released a fix for the problem, and have not responded to our inquiries.
Original source: http://www.msfn.org/
Blanche
Answer
I am opted out from most eBay emails, but I saved the "special notice" they sent regarding the upcoming fee changes, and in that email there is no opt-out link. Instead they include the following note, which basically tells you to "unsubscribe" from your "my eBay" page on the site directly... no third party involvement from what I can tell. As for other types of eBay generated emails, I don't know...
eBay sent this e-mail to you because your Notification Preferences indicate that you want to receive information about Special Events & Promotions. eBay will not request personal data (password, credit card/bank numbers) in an e-mail. You are subscribed as XXXXXXXXXXXXXXXXXXX, registered on eBay.
If you do not wish to receive further communications, sign into "My eBay" by clicking on the "My eBay" link found at the top of the eBay home page and change your Notification Preferences. Please note that it may take up to 10 days to process your request.
Paypal needs to follow that lead...
(Why it takes up to 10 days, I have no idea)
Answer
I just checked to see if Benchmark's automated Opt Out system was still functioning and it looks like they plugged the hole. Earlier today this link revealed the email address of the person who was opting out. Now it says
Opt Out
Our automated opt out system is currently unavailable.
If you would like to remove your address from future customer satisfaction surveys, please send and email to: optout*benchmarkportal.com
http://ebay.benchmarkportal.com/payp...id=40010000003
Blanche