Re: PayPal security flaw

From: Todd H. (comphelp_at_toddh.net)
Date: 12/19/03

• Next message: nimrod_at_yale.edu: "Yale Law School - CyberCrime and Digital Law Enforcement conference"
• Previous message: Bernhard Kuemel: "Re: PGP versus the Outlook built in secure mail?"
• In reply to:(deleted message) Leythos: "Re: PayPal security flaw"
• Next in thread: Barry Margolin: "Re: PayPal security flaw"
• Reply: Barry Margolin: "Re: PayPal security flaw"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 19 Dec 2003 10:25:51 -0600

Leythos <void@nowhere.com> writes:

> In article <vu5k4oqb7nrvad@corp.supernews.com>,
> lenoil@siliconvalleycd.com says...
> > The other day I tried to login to my PayPal account and was taken to a
> > page that said their servers were busy. The page included a "try again"
> > link. Viewing the HTML source for that page revealed my account
> > password, in plaintext, as a hidden form input. While the page was sent
> > over an encrypted SSL connection, this is still a security flaw, because
> > if a user walks away from their computer with that page displayed (or in
> > the browser's history) anyone can view the HTML source and obtain the
> > user's PayPal account name and password. Below is my dialog with PayPal
> > regarding this - they acknowledge the flaw, but give no indication that
> > it may be fixed.
> >
> > Recommended action: if your computer can be accessed by others, close
> > your browser window if you are taken to the above PayPal page, so that
> > your password is not cached by your browser in the source code for the page.
>
> If you are in the middle of a secure transaction why the heck would you
> walk away from the terminal and leave it unsecured? Kind of defeats the
> purpose of having a secure transaction tunnel doesn't it?
>
> You could always LOCK the workstation.

True, but it doesn't excuse the poor coding practice if the page is
coded as the poster reports. There's no reason the password should
ever be stuck in a hidden form unhashed.

It's all about security in depth...and a plaintext password (esp for a
financial account) shouldn't see the light of day anywhere, much less
transmitted back to a user and stuck in a hidden form unhashed.

Best Regards,

-- 
Todd H.
http://www.toddh.net/

---

• Next message: nimrod_at_yale.edu: "Yale Law School - CyberCrime and Digital Law Enforcement conference"
• Previous message: Bernhard Kuemel: "Re: PGP versus the Outlook built in secure mail?"
• In reply to:(deleted message) Leythos: "Re: PayPal security flaw"
• Next in thread: Barry Margolin: "Re: PayPal security flaw"
• Reply: Barry Margolin: "Re: PayPal security flaw"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages PayPal security flaw ... The other day I tried to login to my PayPal account and was taken to a ... page that said their servers were busy. ... Viewing the HTML source for that page revealed my account ... user's PayPal account name and password. ... (comp.security.misc) Re: PayPal security flaw ... Viewing the HTML source for that page revealed my account ... > user's PayPal account name and password. ... > your browser window if you are taken to the above PayPal page, ... If you are in the middle of a secure transaction why the heck would you ... (comp.security.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)