Security Breach at eBay's PayPal Service Raises Many Questions but Few Answers
By Ina Steiner
AuctionBytes reported on Friday a vulnerability on the PayPal website that allowed anyone to find out if an email address was attached to a PayPal account, and if so, revealed the account holder's full name (http://www.auctionbytes.com/cab/abn/y06/m03/i24/s00). Several hours after AuctionBytes contacted PayPal about the security issue the page raised, PayPal fixed it, calling it "a bug."
Anyone who entered "https://www.paypal.com/affil/pal=" in the address bar of their browser could enter an email address at the end of the URL and get a page displaying the account holder's name. If the email address was not attached to a PayPal account, an error message would appear. For example, entering the email address of eBay CEO Meg Whitman after the equal sign, like this, https://firstname.lastname@example.org, revealed the full names of Whitman and her husband on her PayPal account. (eBay owns PayPal.)
The user who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers were aware of its existence. When asked if this was possible, and why techs at PayPal had overlooked accesses that must have generated records on the PayPal server logs, PayPal spokesperson Amanda Pires said, "the page was appearing as a bug and should never have been up there. Unfortunately, for security reasons, I can't say much more than that."
AuctionBytes also asked Pires via email, "PayPal states in their "Protect Yourself from Fraudulent Emails" page: "Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member." Since this has proven to be inaccurate, will PayPal be removing that?"
Pires replied, "The particular message about using a customer's first and last name is still accurate. That is because legitimate emails from PayPal will still use a customer's first and last name. Also it's important to note all the other tips on the security center that helps identify against spoof...such as PayPal will never ask you to click on a link that takes you to a page that requests personal financial information, including your PayPal password, PayPal recommends using the eBay toolbar with Account Guard to identify spoof, sending emails you are unsure about to email@example.com etc. If using all these tips together, customers can avoid spoof emails."
Many eBay users remain unconvinced, however, that PayPal sufficiently protects their identities and their accounts or is pro-active in defending against security breaches. In January 2005, eWeek reported a PayPal security vulnerability that also involved the manipulation of PayPal's URL to expose email addresses of PayPal users who recently unsubscribed from customer-service surveys (http://www.eweek.com/article2/0,1895,1754013,00.asp).
And apparently, sending suspicious emails to firstname.lastname@example.org doesn't ensure a correct response either. In a February 2004 article, AuctionBytes sent a legitimate email, originating from PayPal, to email@example.com, which was misidentified by PayPal's customer support. (http://www.auctionbytes.com/cab/abu/y204/m02/abu0113/s08)
So until PayPal can do a better job in its anti-phishing endeavors, the best advice for anyone online still remains, never click on a link in an email to log into a website.
About the author:
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to firstname.lastname@example.org.
You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.