Auctionbytes.com uncovers Paypal security flaw

For over a year scammers and phishers may have been using a PayPal security flaw to obtain the full names of PayPal users.

[USPRwire, Sun Mar 26 2006] AuctionBytes (http://www.auctionbytes.com) today reported a major security flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.

AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user who stated he was told the security hole had been in place for about 1 year and that many scammers were aware of its existence. Adding a PayPal member's email address to the end of that specific PayPal URL (https://www.paypal.com/affil/pal=) caused a box to appear with that member's full name. Entering an email address of a non-member brought up an error message. There was no need to log into PayPal to access that URL, and it isn't clear what the page was designed to accomplish.

PayPal tells its users to expect official PayPal emails to contain their names in the body of the email. Phishing emails that include a person's correct name that corresponds to their email address could fool the recipients into believing the email is actually from PayPal. Phishing emails are sent to trick people into revealing financial information and/or account passwords. AuctionBytes began reporting on hoax emails targeting PayPal in June of 2002 (http://auctionbytes.com/cab/abn/y02/m06/i27/s03). Since then, phishing attacks have become a serious problem for PayPal and eBay members as the emails get more sophisticated and attackers prey on unsuspecting users.

In PayPal's tips called "Protect Yourself from Fraudulent Emails" in a section titled "Please use the following tips to stay safe with PayPal," it states: "Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member".

A graphic of a screenshot of the page that comes up after entering eBay CEO Meg Whitman's email address, meg@ebay.com can be viewed on the Auctionbytes.com Web site (http://www.auctionbytes.com/cab/abn/y06/m03/i24/s00). A test by AuctionBytes of 30 email addresses brought back real names of over 25 PayPal users.

PayPal has a section of its site devoted to educating members about security issues at http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside, and eBay has a section about Marketplace Safety on its site at http://pages.ebay.com/securitycenter/mrkt_safety.html that includes a tutorial about spoof emails. eBay also recommends that PayPal and eBay members use its toolbar, which can detect when a user is visiting a valid PayPal or eBay site.

A PayPal spokesperson called the vulnerability a bug, and by late on Friday the URL redirected to PayPal's homepage.

About AuctionBytes
AuctionBytes launched in 1999 and is the leading publisher and number one source of news for the online-auction industry. AuctionBytes publishes two free email newsletters and the AuctionBytes Web site, which provides resources for auction buyers and sellers, including "Cool Tools" and Discussion Forums. AuctionBytes publishers David and Ina Steiner are frequently quoted by major news organizations about eBay, online trading and Internet fraud including such publications as Wall Street Journal, New York Times, Smart Money Magazine, and Fortune Small Business and have appeared on major television networks including CNN and CNBC.

For More Information Contact:
David Steiner
Email - dsteiner@auctionbytes.com
Phone - 1-508-655-5697

Bookmark this release: Del.icio.us - Digg - Furl - Blinklist - Reddit