mailing list archives
PayPal /webscr currency substitution exploit?
From: "2600hz" <2600hz () hushmail com>
Date: Wed, 2 Feb 2005 14:30:26 -0800
NOTICE: Yes, I realize zillions of you are waiting with baited
breath to follow up with examples previously posted, and if so, I
apologize. Regardless, since this multi-blend
is so accommodating, something should be said to users, either by a
reminder or truncheon across the head. Indeed, it is the USERS
responsibility to ensure their payment processes are secure, yet
PayPal should do a bit more, IMHO, especially with those older
accounts that don't know any better! I'm flabbergasted this is
still possible...and hey, if anyone wants to go into full-oink tech
explanations, have at it, my brothers...I'm getting too old and my
head hurts a bit this morning. My ego ain't in this...could be the
deep-fried crescent wrench I ate @ the last BurningMan...
Whoa...better get some Traction on this issue and display Thought
Leadership if I'm ever going to get this all down...
Date discovered: 3 January, 2005 (after widespread checking)
Description: PayPal is one of the most popular electronic payment
services on the planet that enables users to purchase goods,
services, and for some reason, just about every piece of over-
hyped, over-promoted and underwhelming piece spy-software known to
G_d. (Is it just me or...?) Through an easy link on the sellers
web page, buyers can enter in purchasing information and receive
the services offered....sometimes paying 1/10 of what is really
costs, through misconfiguration. This was found doing a
sanctioned and routine application audit/experiment; a lark
exploit, figuratively speaking.
Affected Platforms/Types of purchases: Thousands -- Many software,
e-book, membership, or virtual services that utilize automated
processing via a buy link: https://www.paypal.com/cgi-bin/webscr
NOTE: In these particular cases, I notified/had
permission/GOOJFC*. The vendor corrected the issue within 16
hours, and they're hard to find!...and in no way do I condone this
sort of thing...don't do it!
Example #1: http://www.camophone.com is a Caller-ID obscuficating
service that let's one have too much phun sp00fing their tele
number, i.e., two proles in the next cube hate each other, you
sitting there dialing merrily away, having them call each other
with fake ID #...making starving monkey sounds into the phone and
hanging up. A fight ensues -- they're fired -- you're promoted.
Thanx, CamoPhone, for helping us claw up the corporate ladder!
In this particular case, one signs up, makes an ID, purchases time
via PayPal and simply starts calling...the exploit allows one to
purchase 1000 minutes for about the price of 100...and no, I don't
work for them.
https://www.paypal.com/cgi-bin/webscr has a number of form fields
that facilitate automated payment processing. By substituting
currencies in the form field "currency_code",
the order goes through via automated submittal. I'm not going to
extrapolate some masturbatory example here folks, it's too simple
and not even a hack, IMHO; the field isn't validated, it's only
looking for the numeric string. The substituted currency used in
this example had about 1/10 of the required value of the stated
field. Within seconds, a confirmation email is sent to vendor
OK'ing the transaction, showing payment, and....boom...Proud 0wn3r!
Repeat by about a bazillion sites, OK? To PayPal's credit, the
default setting is set@ accepting only one form of currency. And
there are other features enabled to try and make this a rare
occurence. Yet what about the minions who haven't checked the SOP
lately? What, like a million users? Indeed, the only PayPal site
they may have checked was a sp00fed one...but I digress. I repeat -
- PayPal is the service, not the enemy, yet I firmly believe
there's some room for stronger corporate responsibility stance,
like checking their customer's scripts, reminding older users,
etc...and dammit, answer the phone with a human.
Status/Fix: Review allowed form field entries. Correct. Repeat.
Count cash rolling in. Become Yak farmer in Albanian countryside.
http://www.camophone.com : Corrected. Displayed superb skills in
correcting the error...literally within 16 hours.
http://www.paypal.com : I'm still on hold with PayPal's corporate
office as i write this. I've called them something like 20 times,
leaving messages in various voice mailboxes (when the main line
didn't ring 'busy' -- the receptionist doesn't know where the corp.
security department is. Email? Canned answer....and hey, this
isn't PayPal's problem, per se. Yet...
/RANT MODE: ...and another thing! I've gone through hundreds of
sites, only to find the same, or worse; plethora's of
misconfiguration, forms that don't care about price and sellers
asleep at the wheel. Look, I know that the collective "WE" in the
security community often take things to the extreme, yet this is
grim. This sort of thing promulgates the inherent idea/thought
that Internet Commerce is insecure. At this point, seeing stuff I
thought we fixed 9 years ago, I couldn't agree more.
Proud Owner, Timex-Sinclair ZX-80 w/16k pack
Last note: We have the power to communicate with every soul on the
planet. Yet we can't get the word out on this? Easy fix, tough
result if not. All rights reserved. You're soaking in it, too.
-- greetings to AC-130 Gunship crews, Eeye muckrakers, the guy who
passes me @130mph in a Fairlady Z everyday, osgo and the MS Spell-
Check team: I'm a Spelling 'Tard, but you sure try your utmost to
ensure my writing exhibits paradigm shifts in brilliance. Thanx!
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program:
Full-Disclosure - We believe in it.
- PayPal /webscr currency substitution exploit? 2600hz (Feb 03)