Windows enthusiast site, MSFN.org, have highlighted a rather serious problem with PayPal's email removal feature.
Most emails sent from corporations have "removal" links to comply with anti-spam legislation in the USA. On clicking the link sent out by PayPal, users can remove themselves from future mailings from the company. However, the system used to do this suffers from a lack of proper input validation and security. By changing elements of the URL, a malicious user can reveal other PayPal user's email addresses. The problem exposes a serious flaw in the system.
The potential for damage is serious; ever inventive spammers already harvest email addresses from websites on a massive scale and it would take only the most basic of tools to gain a large list of PayPal email addresses. Exactly how exposed PayPal have left their users is not yet known. Neowin was able to manually gain the email addresses of 20 users within 5 minutes. Interestingly, although it's possible to unsubscribe a user, PayPal still hold their email address on file. So far, PayPal have not released a fix for the problem, and have not responded to our inquiries.
PayPal, now owned fully by eBay, have "56 million account members worldwide", and are "available in 45 countries" around the world. PayPal is a member of BBOnline, and TRUSTe, two privacy groups. BBOnline's terms state that member sites "must have appropriate security measures in place to prevent unauthorized electronic access".
Update : PayPal have now closed up the hole; they've yet to reply to concerns about their data security policy.
View: Neowin Forum Thread | Screenshot
View: PayPal | Example URL
Most emails sent from corporations have "removal" links to comply with anti-spam legislation in the USA. On clicking the link sent out by PayPal, users can remove themselves from future mailings from the company. However, the system used to do this suffers from a lack of proper input validation and security. By changing elements of the URL, a malicious user can reveal other PayPal user's email addresses. The problem exposes a serious flaw in the system.
The potential for damage is serious; ever inventive spammers already harvest email addresses from websites on a massive scale and it would take only the most basic of tools to gain a large list of PayPal email addresses. Exactly how exposed PayPal have left their users is not yet known. Neowin was able to manually gain the email addresses of 20 users within 5 minutes. Interestingly, although it's possible to unsubscribe a user, PayPal still hold their email address on file. So far, PayPal have not released a fix for the problem, and have not responded to our inquiries.
PayPal, now owned fully by eBay, have "56 million account members worldwide", and are "available in 45 countries" around the world. PayPal is a member of BBOnline, and TRUSTe, two privacy groups. BBOnline's terms state that member sites "must have appropriate security measures in place to prevent unauthorized electronic access".
Update : PayPal have now closed up the hole; they've yet to reply to concerns about their data security policy.
View: Neowin Forum Thread | Screenshot View: PayPal | Example URL
Clearly it was a wise move to post the link since paypal have patched this in the fastest time possible. We still haven't received a response from Paypal but I assume it will be forthcoming.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.