Windows enthusiast site, MSFN.org, have highlighted a rather serious problem with PayPal's email removal feature.
Most emails sent from corporations have "removal" links to comply with anti-spam legislation in the USA. On clicking the link sent out by PayPal, users can remove themselves from future mailings from the company. However, the system used to do this suffers from a lack of proper input validation and security. By changing elements of the URL, a malicious user can reveal other PayPal user's email addresses. The problem exposes a serious flaw in the system.
The potential for damage is serious; ever inventive spammers already harvest email addresses from websites on a massive scale and it would take only the most basic of tools to gain a large list of PayPal email addresses. Exactly how exposed PayPal have left their users is not yet known. Neowin was able to manually gain the email addresses of 20 users within 5 minutes. Interestingly, although it's possible to unsubscribe a user, PayPal still hold their email address on file. So far, PayPal have not released a fix for the problem, and have not responded to our inquiries.
PayPal, now owned fully by eBay, have "56 million account members worldwide", and are "available in 45 countries" around the world. PayPal is a member of BBOnline, and TRUSTe, two privacy groups. BBOnline's terms state that member sites "must have appropriate security measures in place to prevent unauthorized electronic access".
Update : PayPal have now closed up the hole; they've yet to reply to concerns about their data security policy.
View: Neowin Forum Thread | Screenshot
View: PayPal | Example URL
Most emails sent from corporations have "removal" links to comply with anti-spam legislation in the USA. On clicking the link sent out by PayPal, users can remove themselves from future mailings from the company. However, the system used to do this suffers from a lack of proper input validation and security. By changing elements of the URL, a malicious user can reveal other PayPal user's email addresses. The problem exposes a serious flaw in the system.
The potential for damage is serious; ever inventive spammers already harvest email addresses from websites on a massive scale and it would take only the most basic of tools to gain a large list of PayPal email addresses. Exactly how exposed PayPal have left their users is not yet known. Neowin was able to manually gain the email addresses of 20 users within 5 minutes. Interestingly, although it's possible to unsubscribe a user, PayPal still hold their email address on file. So far, PayPal have not released a fix for the problem, and have not responded to our inquiries.
PayPal, now owned fully by eBay, have "56 million account members worldwide", and are "available in 45 countries" around the world. PayPal is a member of BBOnline, and TRUSTe, two privacy groups. BBOnline's terms state that member sites "must have appropriate security measures in place to prevent unauthorized electronic access".
Update : PayPal have now closed up the hole; they've yet to reply to concerns about their data security policy.
View: Neowin Forum Thread | Screenshot View: PayPal | Example URL
Cont...
As a result, the publisher is expecting record results in the current quarter, which runs through to the end of its financial year on March 31st, and includes the launch of titles including Splinter Cell: Chaos Theory and key new brands Brothers In Arms and Cold Theory.
Ubisoft is projecting fourth quarter earnings of 220 million Euro, which will leave its overall sales for the year up by ten per cent - a reversal of the first nine months of the year, which have seen sales down by 11 per cent.
The company, whose future has been the target of intense speculation after Electronic Arts acquired a 20 per cent shareholding in late December, is also targeting growth of at least 12 per cent in 2005/06, which would bring sales to over 600 million Euro.
"Ubisoft is well on its way to meeting its fiscal-year objectives," according to CEO Yves Guillemot, "and can count on an excellent year in 2005/06. This proves that our unique assets, brands and studios, are generating significant growth and profitability."
How can I keep safe?
I don't want any trouble!
Thanks for the heads up, tom :thumbs up:
When will the media ever think
No, the email account I've got with PayPal has never received any SPAM. I don't need this address flooding as well as two other boxes
Maybe you should stop giving your email out to those "free" porn sites....
Now even I, a simple programmer with little or no skills, can create an email database!...
Those are the kind of details that should be given to Paypal and ONLY Paypal...
Sure glad it input validates!
Last edited by 56181 on 23 Jan 2005 - 01:26
I refuse to be censored.
Clearly it was a wise move to post the link since paypal have patched this in the fastest time possible. We still haven't received a response from Paypal but I assume it will be forthcoming.
Hell if anyone's THAT desperate, I'll give them my mail address.
As for "and have not responded to our inquiries." Why on earth would they? I'd expect them to use their own site for such things.
Last edited by 33613 on 23 Jan 2005 - 10:19
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.