Scoop has an Ethical Paywall
Licence needed for work use Start Free Trial

Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search

 

Kiwi dvlper exposes PayPal account vulnerability

Wednesday, 27 May 2009, 2:52 pm
Press Release: Firewall Technologies Limited

Press Release
For Immediate Release
27 May 2009

Kiwi developer exposes PayPal account vulnerability

A New Zealand software developer has exposed a fundamental flaw in PayPal's online payments system that allows anyone to access certain PayPal accounts with only 30 seconds of effort.

However, the giant American corporation appears oblivious and is allegedly denying its system is insecure.

"It is currently possible to access other people's PayPal accounts in about 30 seconds simply by resetting their password using publicly available information," says Ewart MacLucas of Auckland company Firewall Technologies Ltd.

For PayPal accounts with no credit card or bank account registered, it appears the only information required to gain control of the account is the street address or phone number associated with the account.

This was highlighted when MacLucas was able to reset his PayPal account password just by entering 32, the company's street number. He found this surprising given the contact phone numbers and street address was published on the company's death2ads.com website.

MacLucas says his PayPal account contains payments made during go-live testing of his company's new Death 2 Ads ad blocking firewall, and will contain all payments made by customers purchasing the software.

PayPal did not respond to his written concerns so MacLucas spent over an hour on the phone with PayPal in the USA trying to alert them to his concerns about the flaw.

"Different PayPal people had different explanations, initially saying their system monitored security and would prevent access from other computers, but I proved that incorrect on the spot by resetting the password from another computer which had never accessed PayPal," said MacLucas.

Advertisement - scroll to continue reading

The most senior PayPal representative MacLucas eventually spoke to explained that what he was seeing in his account was "not really financial information", even asking him, "You understand what financial information is, correct?"

MacLucas is of the view that the statement of financial transactions, including a list of who paid, when they paid, how much they paid and associated PayPal fees, is financial information.

The biggest concern MacLucas has is that others might unwittingly have PayPal accounts that can easily be hijacked for fraudulent purposes.

ENDS

© Scoop Media

Advertisement - scroll to continue reading

Using Scoop for work?

Scoop is free for personal use, but you’ll need a licence for work use. This is part of our Ethical Paywall and how we fund Scoop. Join today with plans starting from less than $3 per week, plus gain access to exclusive Pro features.

Join Pro Individual Find out more

Find more from Firewall Technologies Limited on InfoPages.
 
 
 
Business Headlines | Sci-Tech Headlines

BUSINESS, SCIENCE & TECH


 
work Join Scoop Pro
 
Submit News
 
person_add Become a Member
 
 
 
 
 
 
 

LATEST HEADLINES

  • BUSINESS
  • SCI-TECH