Auctionbytes.com uncovers Paypal security flaw

Natick, Massachusetts - March 26, 2006 - AuctionBytes today reported a major security flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.

AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user who stated he was told the security hole had been in place for about 1 year and that many scammers were aware of its existence. Adding a PayPal member's email address to the end of that specific PayPal URL caused a box to appear with that member's full name. Entering an email address of a non-member brought up an error message. There was no need to log into PayPal to access that URL, and it isn't clear what the page was designed to accomplish.

PayPal tells its users to expect official PayPal emails to contain their names in the body of the email. Phishing emails that include a person's correct name that corresponds to their email address could fool the recipients into believing the email is actually from PayPal. Phishing emails are sent to trick people into revealing financial information and/or account passwords. AuctionBytes began reporting on hoax emails targeting PayPal in June of 2002. Since then, phishing attacks have become a serious problem for PayPal and eBay members as the emails get more sophisticated and attackers prey on unsuspecting users.

In PayPal's tips called "Protect Yourself from Fraudulent Emails" in a section titled "Please use the following tips to stay safe with PayPal," it states: "Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member".

A graphic of a screenshot of the page that comes up after entering eBay CEO Meg Whitman's email address can be viewed on the Auctionbytes.com Web site. A test by AuctionBytes of 30 email addresses brought back real names of over 25 PayPal users.

PayPal has a section of its site devoted to educating members about security issues and eBay has a section about Marketplace Safety on its site that includes a tutorial about spoof emails. eBay also recommends that PayPal and eBay members use its toolbar, which can detect when a user is visiting a valid PayPal or eBay site.

A PayPal spokesperson called the vulnerability a bug, and by late on Friday the URL redirected to PayPal's homepage.