PayPal security flaw
From: Robert Lenoil (lenoil_at_siliconvalleycd.com)
Date: 12/19/03
- Next message: Bernhard Kuemel: "why HMAC (Keyed-Hashing for Message Authentication)?"
- Previous message: David: "Re: Security is a joke with Microsoft"
- Next in thread: Leythos: "Re: PayPal security flaw"
- Reply:(deleted message) Leythos: "Re: PayPal security flaw"
- Reply: Nick Roberts: "Re: PayPal security flaw"
- Reply: Nick Roberts: "Re: PayPal security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Dec 2003 02:19:29 -0800
The other day I tried to login to my PayPal account and was taken to a
page that said their servers were busy. The page included a "try again"
link. Viewing the HTML source for that page revealed my account
password, in plaintext, as a hidden form input. While the page was sent
over an encrypted SSL connection, this is still a security flaw, because
if a user walks away from their computer with that page displayed (or in
the browser's history) anyone can view the HTML source and obtain the
user's PayPal account name and password. Below is my dialog with PayPal
regarding this - they acknowledge the flaw, but give no indication that
it may be fixed.
Recommended action: if your computer can be accessed by others, close
your browser window if you are taken to the above PayPal page, so that
your password is not cached by your browser in the source code for the page.
-Robert Lenoil
----------------------------------------------------------------
Date: Thu, 18 Dec 2003 22:29:49 -0600
To: Robert Lenoil
Subject: Re: Protections/Privacy/Security:AccountSecurity
:11:532:US:en_US:X1X1X (KMM39666457V37577L0KM)
From: "webform@paypal.com" <webform@paypal.com>
Reply-To: "webform@paypal.com" <webform@paypal.com>
Dear Robert Lenoil,
Thanks for writing to us. I appreciate the opportunity to assist you
with your questions.
Thank you for your information. What this comes down to, is probably
bad implementation of out procedures. In general, you should not be
entering your password on any site except www.paypal.com, and if you do
enter it there, you will not be able to view it in the source code.
This issue is probably confined to this site only as I have never
encountered it on another site.
Please let me know if you need further assistance.
Sincerely,
Robert
PayPal Tech Support
PayPal, an eBay Company
===========================================
Original Message Follows:
------------------------
Form Message
customer subject: Security hole in PayPal
customer message: Message: 'I just tried to login to my PayPal account and
got a screen saying that there was a temporary error because your servers
are overloaded, along with a "try again" link. This concerned me, so I
viewed the source of the web page and, sure enough, there was my PayPal
account password, in plain text, embedded in the HTML source of the web
page. Had I walked away from my computer, anybody could have viewed the
source of the web page and learned my PayPal account password, then closed
the source window to avoid detection. The "try again" link for logging in
is a serious security hole. Please respond to me about this promptly before
I publish the flaw to the Internet community at large. The following
comments from the top of the script may help you:
Script info: script: webscr, cmd: _login-submit, template: p/gen/abort,
date: Dec. 12, 2003 19:16:38 PST; country: US, language: en_US
web version: 19.5-240 branch: live-195
content version: 19.5-240 branch: live-195'
- Next message: Bernhard Kuemel: "why HMAC (Keyed-Hashing for Message Authentication)?"
- Previous message: David: "Re: Security is a joke with Microsoft"
- Next in thread: Leythos: "Re: PayPal security flaw"
- Reply:(deleted message) Leythos: "Re: PayPal security flaw"
- Reply: Nick Roberts: "Re: PayPal security flaw"
- Reply: Nick Roberts: "Re: PayPal security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
