Home page logo

fulldisclosure logo Full Disclosure mailing list archives

PayPal /webscr currency substitution exploit?
From: "2600hz" <2600hz () hushmail com>
Date: Wed, 2 Feb 2005 14:30:26 -0800

NOTICE:  Yes, I realize zillions of you are waiting with baited 
breath to follow up with examples previously posted, and if so, I 
apologize.  Regardless, since this multi-blend 
is so accommodating, something should be said to users, either by a 
reminder or truncheon across the head.  Indeed, it is the USERS 
responsibility to ensure their payment processes are secure, yet 
PayPal should do a bit more, IMHO, especially with those older 
accounts that don't know any better!   I'm flabbergasted this is 
still possible...and hey, if anyone wants to go into full-oink tech 
explanations, have at it, my brothers...I'm getting too old and my 
head hurts a bit this morning.  My ego ain't in this...could be the 
deep-fried crescent wrench I ate @ the last BurningMan...

Whoa...better get some Traction on this issue and display Thought 
Leadership if I'm ever going to get this all down...

Date discovered:  3 January, 2005 (after widespread checking)

Description:  PayPal is one of the most popular electronic payment 
services on the planet that enables users to purchase goods, 
services, and for some reason, just about every piece of over-
hyped, over-promoted and underwhelming piece spy-software known to 
G_d.  (Is it just me or...?)   Through an easy link on the sellers 
web page, buyers can enter in purchasing information and receive 
the services offered....sometimes paying 1/10 of what is really 
costs, through misconfiguration.   This was found doing a 
sanctioned and routine application audit/experiment; a lark 
exploit, figuratively speaking. 

Affected Platforms/Types of purchases:  Thousands -- Many software, 
e-book, membership, or virtual services that utilize automated 
processing via a buy link:  https://www.paypal.com/cgi-bin/webscr

NOTE:  In these particular cases, I notified/had 
permission/GOOJFC*.  The vendor corrected the issue within 16 
hours, and they're hard to find!...and in no way do I condone this 
sort of thing...don't do it!   

Example #1: http://www.camophone.com is a Caller-ID obscuficating 
service that let's one have too much phun sp00fing their tele 
number, i.e., two proles in the next cube hate each other, you 
sitting there dialing merrily away, having them call each other 
with fake ID #...making starving monkey sounds into the phone and 
hanging up.   A fight ensues -- they're fired -- you're promoted.  
Thanx, CamoPhone, for helping us claw up the corporate ladder!    

In this particular case, one signs up, makes an ID, purchases time 
via PayPal and simply starts calling...the exploit allows one to 
purchase 1000 minutes for about the price of 100...and no, I don't 
work for them.
------>how used:
https://www.paypal.com/cgi-bin/webscr has a number of form fields 
that facilitate automated payment processing.  By substituting 
currencies in the form field "currency_code",
the order goes through via automated submittal.  I'm not going to 
extrapolate some masturbatory example here folks, it's too simple 
and not even a hack, IMHO; the field isn't validated, it's only 
looking for the numeric string.  The substituted currency used in 
this example had about 1/10 of the required value of the stated 
field.  Within seconds, a confirmation email is sent to vendor 
OK'ing the transaction, showing payment, and....boom...Proud 0wn3r! 

Repeat by about a bazillion sites, OK?  To PayPal's credit, the 
default setting is set@ accepting only one form of currency.  And 
there are other features enabled to try and make this a rare 
occurence.  Yet what about the minions who haven't checked the SOP 
lately?  What, like a million users?  Indeed, the only PayPal site 
they may have checked was a sp00fed one...but I digress.  I repeat -
- PayPal is the service, not the enemy, yet I firmly believe 
there's some room for stronger corporate responsibility stance, 
like checking their customer's scripts, reminding older users, 
etc...and dammit, answer the phone with a human.  

Status/Fix:  Review allowed form field entries.  Correct.  Repeat.  
Count cash rolling in.  Become Yak farmer in Albanian countryside.  
Or something.
http://www.camophone.com :  Corrected.  Displayed superb skills in 
correcting the error...literally within 16 hours.

http://www.paypal.com : I'm still on hold with PayPal's corporate 
office as i write this.  I've called them something like 20 times, 
leaving messages in various voice mailboxes (when the main line 
didn't ring 'busy' -- the receptionist doesn't know where the corp. 
security department is.  Email?  Canned answer....and hey, this 
isn't PayPal's problem, per se.  Yet...
/RANT MODE:  ...and another thing!  I've gone through hundreds of 
sites, only to find the same, or worse; plethora's of 
misconfiguration, forms that don't care about price and sellers 
asleep at the wheel.  Look, I know that the collective "WE" in the 
security community often take things to the extreme, yet this is 
grim.  This sort of thing promulgates the inherent idea/thought 
that Internet Commerce is insecure.  At this point, seeing stuff I 
thought we fixed 9 years ago, I couldn't agree more.

Proud Owner, Timex-Sinclair ZX-80 w/16k pack

Last note:  We have the power to communicate with every soul on the 
planet.  Yet we can't get the word out on this?  Easy fix, tough 
result if not.  All rights reserved.  You're soaking in it, too.

-- greetings to AC-130 Gunship crews, Eeye muckrakers, the guy who 
passes me @130mph in a Fairlady Z everyday, osgo and the MS Spell-
Check team:  I'm a Spelling 'Tard, but you sure try your utmost to 
ensure my writing exhibits paradigm shifts in brilliance.  Thanx!

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program: 
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • PayPal /webscr currency substitution exploit? 2600hz (Feb 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]