A security vulnerability in PayPal’s systems makes it possible to gain full, unrestricted access to any account within 30 seconds.
The vulnerability lies in PayPal’s forgotten password recovery features. Says Matt Langley:
PayPal sends Password Forgotten Change tokens to unauthorized email addresses instead of the email address on the account. Once you follow the link they email, and change the password, you are given total access to that account. No trickery or sophisticated hacking is required. It’s a bug in their email system that corrupts email addresses.
Once the attacker has access, there’s nothing restricting their ability to siphon money out of the account.
The exploit is, of course, a direct violation of PayPal’s privacy policy and a laundry list of laws, so don’t try this at home but PayPal needs to act as thieves aren’t particularly concerned with such things.
The exploit is, of course, a direct violation of PayPal’s privacy policy and a laundry list of laws, so don’t try this at home but PayPal needs to act as thieves aren’t particularly concerned with such things.
No comments:
Post a Comment