Re: PayPal security flaw
From: Nick Roberts (nick.roberts_at_acm.org)
Date: 12/22/03
- Next message: Nick Roberts: "Re: PayPal security flaw"
- Previous message: BLH: "Re: Remote Access Authentication"
- In reply to: Robert Lenoil: "PayPal security flaw"
- Next in thread: Nick Roberts: "Re: PayPal security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Dec 2003 12:58:08 +0000
Robert Lenoil wrote:
> The other day I tried to login to my PayPal account and was taken to a
> page that said their servers were busy. The page included a "try again"
> link. Viewing the HTML source for that page revealed my account
> password, in plaintext, as a hidden form input. While the page was sent
> over an encrypted SSL connection, this is still a security flaw, because
> if a user walks away from their computer with that page displayed (or in
> the browser's history) anyone can view the HTML source and obtain the
> user's PayPal account name and password. Below is my dialog with PayPal
> regarding this - they acknowledge the flaw, but give no indication that
> it may be fixed.
>
> Recommended action: if your computer can be accessed by others, close
> your browser window if you are taken to the above PayPal page, so that
> your password is not cached by your browser in the source code for the
> page.
My recommended action: do not use PayPal. If you have an account, withdraw
everything you have from it immediately, and then close it. Please see:
-- Nick Roberts __________________________________________________________ | Fight Spam! Join EuroCAUCE: http://www.euro.cauce.org/ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Next message: Nick Roberts: "Re: PayPal security flaw"
- Previous message: BLH: "Re: Remote Access Authentication"
- In reply to: Robert Lenoil: "PayPal security flaw"
- Next in thread: Nick Roberts: "Re: PayPal security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
