728_header.jpg (23748 bytes)
 Home 
 EB Blog 
 AB Blog 
 Letters 
 Podcasts 
 ABTV 
 Forums 
 EPIS 
 PR Service 
 Classifieds 
 EKG 
 Ratings 
EcommerceBytes-NewsFlash, Number 1245 - March 27, 2006 - ISSN 1539-5065    4 of 5

Security Breach at eBay's PayPal Service Raises Many Questions but Few Answers

By Ina Steiner
EcommerceBytes.com
March 27, 2006




Email This Story to a Friend

AuctionBytes reported on Friday a vulnerability on the PayPal website that allowed anyone to find out if an email address was attached to a PayPal account, and if so, revealed the account holder's full name (http://www.auctionbytes.com/cab/abn/y06/m03/i24/s00). Several hours after AuctionBytes contacted PayPal about the security issue the page raised, PayPal fixed it, calling it "a bug."

Anyone who entered "https://www.paypal.com/affil/pal=" in the address bar of their browser could enter an email address at the end of the URL and get a page displaying the account holder's name. If the email address was not attached to a PayPal account, an error message would appear. For example, entering the email address of eBay CEO Meg Whitman after the equal sign, like this, https://www.paypal.com/affil/pal=meg@ebay.com, revealed the full names of Whitman and her husband on her PayPal account. (eBay owns PayPal.)

The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."

AuctionBytes also asked Pires via email, "PayPal states in their "Protect Yourself from Fraudulent Emails" page: "Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member." Since this has proven to be inaccurate, will PayPal be removing that?"

Pires replied, "The particular message about using a customer's first and last name is still accurate. That is because legitimate emails from PayPal will still use a customer's first and last name. Also it's important to note all the other tips on the security center that helps identify against spoof...such as PayPal will never ask you to click on a link that takes you to a page that requests personal financial information, including your PayPal password, PayPal recommends using the eBay toolbar with Account Guard to identify spoof, sending emails you are unsure about to spoof@paypal.com etc. If using all these tips together, customers can avoid spoof emails."

Many eBay users remain unconvinced, however, that PayPal sufficiently protects their identities and their accounts or is pro-active in defending against security breaches. In January 2005, eWeek reported a PayPal security vulnerability that also involved the manipulation of PayPal's URL to expose email addresses of PayPal users who recently unsubscribed from customer-service surveys (http://www.eweek.com/article2/0,1895,1754013,00.asp).

And apparently, sending suspicious emails to spoof@paypal.com doesn't ensure a correct response either. In a February 2004 article, AuctionBytes sent a legitimate email, originating from PayPal, to spoof@paypal.com, which was misidentified by PayPal's customer support. (http://www.auctionbytes.com/cab/abu/y204/m02/abu0113/s08)

So until PayPal can do a better job in its anti-phishing endeavors, the best advice for anyone online still remains, never click on a link in an email to log into a website.

About the author:

Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to ina@ecommercebytes.com.

You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.

Sign up for our Email Newsletters

Email This Story to a Friend
Email this story to a friend.


4 of 5


Related Stories
Sponsored Ad