PayPal Security Flaw Makes eBay and PayPal Users Vulnerable to Phishers
By Ina Steiner
A flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.
AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user. Adding a PayPal member's email address to the end of that specific PayPal URL causes a box to appear with that member's full name. Entering an email address of a non-member brings up an error message. There is no need to log into PayPal to access that URL, and it isn't clear what the page is designed to accomplish.
PayPal tells its users to expect official PayPal emails to contain their names in the body of the email. Phishing emails that include a person's correct name that corresponds to their email address could fool the recipients into believing the email is actually from PayPal. Phishing emails are sent to trick people into revealing financial information and/or account passwords. AuctionBytes began reporting on hoax emails targeting PayPal in June of 2002 (http://auctionbytes.com/cab/abn/y02/m06/i27/s03). Since then, phishing attacks have become a serious problem for PayPal and eBay members as the emails get more sophisticated and attackers prey on unsuspecting users.
In PayPal's tips called "Protect Yourself from Fraudulent Emails" in a section titled "Please use the following tips to stay safe with PayPal," it states: "Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member".
AuctionBytes has chosen not to include the URL in this article until PayPal has fixed the vulnerability, but you can see in the accompanying graphic a screenshot of the page that comes up after entering eBay CEO Meg Whitman's email address, email@example.com. A test by AuctionBytes of 30 email addresses brought back real names of over 25 PayPal users.
PayPal has a section of its site devoted to educating members about security issues at http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside, and eBay has a section about Marketplace Safety on its site at http://pages.ebay.com/securitycenter/mrkt_safety.html that includes a tutorial about spoof emails. eBay also recommends that PayPal and eBay members use its toolbar, which can detect when a user is visiting a valid PayPal or eBay site.
About the author:
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to firstname.lastname@example.org.
You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.