PayPal vulnerability debunked. Paypal accounts are safe. [Updated]

PayPal vulnerability debunked. Paypal accounts are safe. [Updated]


This has been debunked, Paypal accounts are safe. We’ve spoken in depth to Matt Langley, the person who discovered the supposed issue, and it’s clear why he assumed there was a serious security breach but the issue is far less serious than initially thought.

Matt Langley explains:

“It seems that the ‘victim’ had opened an account using an email address of mine, with extra characters thrown in, which Gmail ignores and accepts as the same email address, so it was gmail which uncorrupted the email address and sent the emails to me, not Paypal. I had previously reported an account set-up with fraudulent email address to Paypal many times in the past, but only yesterday noticed that the email address was different to mine, in a way which on any other email system in the world would be a different email address.”

There is a small vulnerability because Gmail allows you to include dots in your email address, it essentially allows anyone to create multiple Paypal accounts with the same email address because Paypal recognises the inclusion of a dot as a separate email address entirely. It’s seems like a flaw but not a massive security vulnerability. Also Paypal also doesn’t appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability.

A security vulnerability in PayPal’s systems may make it possible to gain full, unrestricted access to any account within 30 seconds, we’ve heard from Matt Langley of Integrated Computer Enterprises Limited.

The vulnerability lies in PayPal’s forgotten password recovery features. Says Langley:

PayPal sends Password Forgotten Change tokens to unauthorized email addresses instead of the email address on the account. Once you follow the link they email, and change the password, you are given total access to that account. No trickery or sophisticated hacking is required. It’s a bug in their email system that corrupts email addresses.

Once the attacker has access, there’s nothing restricting their ability to siphon money out of the account.

The exploit is, of course, a direct violation of PayPal’s privacy policy and a laundry list of laws, so don’t try this at home — but PayPal needs to act as thieves aren’t particularly concerned with such things.

After a range of high profile attacks this year, use of this vulnerability would easily topple the Sony PlayStation Network attack as the most significant and damaging of the year. PayPal is used by millions of Internet users to transfer money.

Our source says that PayPal has been warned previously but ignored his emails. We’ve contacted PayPal on this matter and are awaiting a response.


This has been debunked, Paypal accounts are safe. More details to come.

Read next: Several Malaysian government websites victims of largest cyberwar waged by Anonymous