Computer Crime Research Center

hack/hack34.jpg

PayPal vulnerable

Date: March 27, 2006
Source: auctionbytes.com


A flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.

AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user. Adding a PayPal member's email address to the end of that specific PayPal URL causes a box to appear with that member's full name. Entering an email address of a non-member brings up an error message. There is no need to log into PayPal to access that URL, and it isn't clear what the page is designed to accomplish.

PayPal tells its users to expect official PayPal emails to contain their names in the body of the email. Phishing emails that include a person's correct name that corresponds to their email address could fool the recipients into believing the email is actually from PayPal. Phishing emails are sent to trick people into revealing financial information and/or account passwords. AuctionBytes began reporting on hoax emails targeting PayPal in June of 2002 (http://auctionbytes.com/cab/abn/y02/m06/i27/s03). Since then, phishing attacks have become a serious problem for PayPal and eBay members as the emails get more sophisticated and attackers prey on unsuspecting users.

In PayPal's tips called "Protect Yourself from Fraudulent Emails" in a section titled "Please use the following tips to stay safe with PayPal," it states: "Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member".
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo