PayPal Security Flaw Makes eBay and PayPal Users Vulnerable to Phishers

Home

EB Blog

AB Blog

Letters

Podcasts

ABTV

Forums

EPIS

PR Service

Classifieds

Ecommerce EKG

Service Ratings

Auction Sites

FP Marketplaces

Inventory Management

Payment Services

Storefronts & Carts

Sniping Services

Wholesale/Dropshipping

Email List Hosting

Consignment Services

Ecommerce EKG

Auction Calendar

Collectors' Links

eBay Promo History

Bookshelf

Fraud Resources

Drop-Off Store Laws

ABTV

Ecommerce Resources

Photo Tips

Marketing Inserts

Yellow Pages

Advertising

EcommerceBytes-NewsFlash, Number 1244 - March 24, 2006 - ISSN 1539-5065 | Next

PayPal Security Flaw Makes eBay and PayPal Users Vulnerable to Phishers
By Ina Steiner
EcommerceBytes.com
March 24, 2006

A flaw on PayPal's website could help scammers who send out "phishing" emails by allowing them to determine a PayPal member's full name and include it in hoax emails, giving them an air of legitimacy.

AuctionBytes discovered the URL with the vulnerability on Friday evening when it was sent in by an anonymous user. Adding a PayPal member's email address to the end of that specific PayPal URL causes a box to appear with that member's full name. Entering an email address of a non-member brings up an error message. There is no need to log into PayPal to access that URL, and it isn't clear what the page is designed to accomplish.

PayPal tells its users to expect official PayPal emails to contain their names in the body of the email. Phishing emails that include a person's correct name that corresponds to their email address could fool the recipients into believing the email is actually from PayPal. Phishing emails are sent to trick people into revealing financial information and/or account passwords. AuctionBytes began reporting on hoax emails targeting PayPal in June of 2002 (http://auctionbytes.com/cab/abn/y02/m06/i27/s03). Since then, phishing attacks have become a serious problem for PayPal and eBay members as the emails get more sophisticated and attackers prey on unsuspecting users.

In PayPal's tips called "Protect Yourself from Fraudulent Emails" in a section titled "Please use the following tips to stay safe with PayPal," it states: "Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member".

AuctionBytes has chosen not to include the URL in this article until PayPal has fixed the vulnerability, but you can see in the accompanying graphic a screenshot of the page that comes up after entering eBay CEO Meg Whitman's email address, meg@ebay.com. A test by AuctionBytes of 30 email addresses brought back real names of over 25 PayPal users.

PayPal has a section of its site devoted to educating members about security issues at http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside, and eBay has a section about Marketplace Safety on its site at http://pages.ebay.com/securitycenter/mrkt_safety.html that includes a tutorial about spoof emails. eBay also recommends that PayPal and eBay members use its toolbar, which can detect when a user is visiting a valid PayPal or eBay site.

You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.

Email this story to a friend.

| Next

EcommerceBytes Blog

AuctionBytes Blog

Letters to the Editor