PayPal vulnerability allows access to any account within 30 seconds

[sygeek]

PayPal vulnerability allows access to any account within 30 seconds​

A security vulnerability in PayPal’s systems makes it possible to gain full, unrestricted access to any account within 30 seconds, we’ve heard from Matt Langley of Integrated Computer Enterprises Limited.

The vulnerability lies in PayPal’s forgotten password recovery features. Says Langley:

PayPal sends Password Forgotten Change tokens to unauthorized email addresses instead of the email address on the account. Once you follow the link they email, and change the password, you are given total access to that account. No trickery or sophisticated hacking is required. It’s a bug in their email system that corrupts email addresses.

Once the attacker has access, there’s nothing restricting their ability to siphon money out of the account.

The exploit is, of course, a direct violation of PayPal’s privacy policy and a laundry list of laws, so don’t try this at home — but PayPal needs to act as thieves aren’t particularly concerned with such things.

After a range of high profile attacks this year, use of this vulnerability would easily topple the Sony PlayStation Network attack as the most significant and damaging of the year. PayPal is used by millions of Internet users to transfer money.

Our source says that PayPal has been warned previously but ignored his emails. We’ve contacted PayPal on this matter and are awaiting a response.

[I'm not sharing any hack tricks, just a bug. Don't try to use this method to gain access to any account, you're bound to be caught.]

The weird fact about this bug is, you can't avoid this on your personal level, it's all upto the company. Looks like I need to hide my email.

 

[deathwish]

Wow!! Now this takes the security issues, or rather security blunders, to a whole new level! If this news breaks out in a big way, it could make most casual users wary of using internet banking, which would push us back a few years in this domain.

 

[Vyom]

Scary stuff.
Hoping PayPal responds soon.
It's good that, I don't have a PayPal account, for now.

 

[gagan007]

Thanks, I am removing my credit card now!
Unbelievable!

 

[Ishu Gupta]

Paypal in India sucks anyways.
You can't buy anything and you have to withdraw your balance within 1 week (iirc) or it'll get reset.

 

[Vyom]

I thought in India it's PaisaPay, the substitute of PayPal!

 

[Ishu Gupta]

I thought in India it's PaisaPay, the substitute of PayPal!

That's from eBay.
You can make a Paypal account in India.

 

[sygeek]

Paypal in India is close to DEAD! *f word* you RBI.