Update:
This has been debunked, Paypal accounts are safe. We’ve spoken in depth to Matt Langley, the person who discovered the supposed issue, and it’s clear why he assumed there was a serious security breach but the issue is far less serious than initially thought.
Matt Langley explains:
“It seems that the ‘victim’ had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address.”
There is a small vulnerability because Gmail allows you to include dots in your email address, it essentially allows anyone to create multiple Paypal accounts with the same email address because Paypal recognises the inclusion of a dot as a separate email address entirely. It’s seems like a flaw but not a massive security vulnerability. Also Paypal also doesn’t appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability.
-
A security vulnerability in PayPal’s systems may make it possible to gain full, unrestricted access to any account within 30 seconds, we’ve heard from Matt Langley of Integrated Computer Enterprises Limited.
The vulnerability lies in PayPal’s forgotten password recovery features. Says Langley:
PayPal sends Password Forgotten Change tokens to unauthorized email addresses instead of the email address on the account. Once you follow the link they email, and change the password, you are given total access to that account. No trickery or sophisticated hacking is required. It’s a bug in their email system that corrupts email addresses.
Once the attacker has access, there’s nothing restricting their ability to siphon money out of the account.
The exploit is, of course, a direct violation of PayPal’s privacy policy and a laundry list of laws, so don’t try this at home — but PayPal needs to act as thieves aren’t particularly concerned with such things.
After a range of high profile attacks this year, use of this vulnerability would easily topple the Sony PlayStation Network attack as the most significant and damaging of the year. PayPal is used by millions of Internet users to transfer money.
Our source says that PayPal has been warned previously but ignored his emails. We’ve contacted PayPal on this matter and are awaiting a response.
Updated:
This has been debunked, Paypal accounts are safe. More details to come.
Paypal phone support is open for another 23 minutes at +1 (888) 221-1161, in case folks want to ring them up and ask for more details (and/or bring this to their awareness before they close for the evening).
hmm.. the procedure to recover passwords has 2 options:- Enter the email address you used when you created your PayPal account. OR
- Enter up to 3 email addresses you may have used to create your PayPal account. We’ll check to find a match.
So how can an unauthorized email addresses get access?
How could you send a token to an address that isn’t associated on the account? This makes absolutely no sense. PayPal says specifically: “Enter the email address you used when you created your PayPal account.Enter the code you see:” They don’t say “Enter the email address you signed up with then enter in another address just for fun.”
@Erik van Roekel There’s more to it. Matt told us he won’t reveal the rest until PayPal have done something about the issue. “I can’t tell you the exact nature of the bug until Paypal have fixed it.”
@matt newberg Mr. Langley didn’t reveal the exploit, which we should be thankful for. If it were as trivial as what you’re describing it would’ve been used to steal accounts so many times it’d be fixed already.
Matt Langley posted a conversation about this on Namesake earlier. I thought this might add some context: http://bit.ly/jqBQTO
Yup, it’s option 1, but there is a bug in the password reset email process which sends the email to a different account under certain circumstances. The important thing is for PayPal to fix it immediately. It’s embarrassingly easy, if opportunist.
Having discussed it with an ex-paypal engineer, it may not be a problem in all regions, as other security features would provide a second level of authentication before changing password, but that won’t help the millions who are in the region(s) effected. That’s probably the first fix they should do in any regions where they don’t already.
Obviously they also need to fix the bug in their emailer, but if they had second level authentication during password reset, this would not have opened the door.I should refine the above slightly, in that it was always clear that only a minority of users would be vulnerable in this way, but at one point I estimated it to be possibly as high as a third, but now I think it’s fewer due to reasons that I can’t disclose until the problem has been fixed (sorry, but I’m trying to be responsible.). The actual number of people effected will probably turn out to be thankfully, quite small, but it’s not because the system is secure, it’s just that other factors will restrict the ability of mass exploitation. I’ll explain this when it is safe to do so, but it’s fairly mundane so don’t get to excited.
If you think this one is bad, read about Citibank’s recent security breach! Hackers logged into a valid account, and then simply changed a few numbers in the URL to gain access to any other account that they wanted. Unbelievable. http://bit.ly/lHoYT0 The good news? I have accounts with Citi and PayPal, so my credit monitoring costs should be covered by these companies for a couple years (at least). Citi and PayPal…I am awaiting a call.
We’ve updated the post but including this in the comments just so everyone who has commented is aware: “There is a small vulnerability because Gmail allows you to include dots in your email address. It essentially allows anyone to create multiple Paypal accounts with the same email address because Paypal recognises the inclusion of a dot as a separate email address entirely. It’s seems like a flaw but not a massive security vulnerability.Also Paypal also doesn’t appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability as far as we can tell.”
PayPal ignoring emails sounds about right… their automated bot system and/or Indian call centres is a nightmare over even basic requests. So they allow things like this to fester, even if they’re not in the wrong on this one.
This is a Gmail bug. Dots are VALID characters in an e-mail address, if not repeated and not at the beginning or end. As are all of these: ! $ & * – = ^ ` | ~ # % ‘ + / ? _ { }.
Gmail ignores the dots, and counts that as a “feature”: http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-get-more-from-your.html
But that is no security flaw, as all email will go to the original account..
Now, what does PayPal sending password change tokens to the WRONG e-mail address has to do with that?
@Zee @mattlangley This whole episode is a bit unnerving. People are free not to use PayPal, but if they have an Android phone, they *must* have a GMail account to receive software updates.
=== http://www.johnshop.org==== if you like to order anything you like.More details,please just browse our website Quality is our Dignity;Service is our Lift.enjoy yourself.thank you!!==== http://johnshop.org====
Not a flaw, but a documented feature of GMail: each account has a very large set of valid mailable addresses that will deliver to it. This is a useful feature. If you want to make a particular variant address deliver straight to nowhere, that’s easy enough to do with filters. This feature doesn’t make it significantly easier to create multiple PayPal accounts that send email to ultimately the same place., and I fail to see how that even could make anything a “flaw” at all.
The flaw is in PayPal. It is never right to use an email address for a valuable function for a persistent account without first performing a functional confirmation that the address is valid and under the control of the person who provided it for that use. People misspell email addresses all the time, and have done so for as long as there have been email addresses. People give out addresses that they know to belong to others to 3rd parties as a mode of harassment and have been doing so for at least 20 years. Unfortunately, lazy operators like PayPal can save effort (i.e. money) by ignoring the need to confirm addresses or by confirming them weakly.
“Massive security vulnerability” sounds about right. I’ve had such experiences with money being stolen from my account via PayPal that I closed my account years ago.
@Zee Having slept on it, I feel I should clarify that I did gain access to someone else’s Paypal account. I did see all their personal information, and I could have verified the account and conducted transactions using any bank or credit card details they had set-up on the account. That is all still true.What makes it a non-issue is that this can only happen where the account holder has chosen to use an email address they don’t own, rather than being the result of a bug in their email system as I originally stated.
@Ricardo Tomasi Basically I was not aware of the gmail ‘bug’, and now I am, I would even agree it was a feature rather than a bug. However, as I was not aware, I assumed that paypal was sending the password change token to my email address, not the obfuscated one used by the account holder for that account.Knowing what I now know, it’s clear that the original account holder chose to use a variation of my email address instead of their own. Why, I don’t know, but it certainly changes the severity of the issue from severe to minor. The only fault of Paypal was allowing people to use unverified email accounts that don’t belong to them in the first place.
@billcole Absolutely right. If they did follow this very basic best practice, this whole thing would never have happened, which would have been better for everyone.