lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 17 Jul 2014 22:35:49 +0100
From: Jan Kechel <jan@...hel.de>
To: Glen Roberts <glen@...rsec.com>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] Ignore the amount customers confirm is no security
 vulnerability according to PayPal


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 07/17/2014 09:47 PM, Glen Roberts wrote:
> Just because they deny it does not mean you did not unveil a valid bug. Personally, if a "feature"
like this was really intended, I'd like to see the Paypal documentation
where they highlight the utility and limits of such a function. Since
when did alteration of data and integrity issues cease to be bugs and/or
vulnerabilities?


This PayPal confirmation website is something like a signature for a
bank-transaction.

To me this is like my bank would change the amount in a signed check and
claim it to be a feature and not an inexcusable mistake.

It's even worse because lots of us don't really doublecheck the
transferred amount after a successful PayPal transaction as we of course
assume that PayPal makes sure that the signed amount is not overdrawn.

False transactions cannot only happen with bad intention, but due to the
simplicity of the bug, they can slip in easily as simple BUGs in any
shop-software. So it's likely that many transactions were made with
actually wrong amounts.

Everyone using PayPal is hereby called do doublecheck all PayPal
transactions, and if in doubt, claim back the money from PayPal.

Jan

>
> On Thu, Jul 17, 2014 at 8:15 AM, Jan Kechel <jan@...hel.de
<mailto:jan@...hel.de>> wrote:
>
>
> **********************
> Title:
> **********************
> Transfer any amount regardless of what customer confirmed
>
> **********************
> Short description:
> **********************
> In PayPal Express Checkout the Online-Shop can transfer
> any amount, no matter which amount the client actually
> confirmed at the PayPal website.
>
> **********************
> Steps to reproduce:
> **********************
> 1. SetExpressCheckout with any amount (e.g. 1 Dollar)
> 2. After confirmation of that Dollar simply call
> DoExpressCheckoutPayment with any amount (e.g. 200 Dollar)
>
> **********************
> Proof of Concept:
> **********************
> URL:
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926
>
> Just click 'step 1', login with your paypal-account and
> confirm 1 (one) Euro. After that you'll be redirected
> back to my Proof of Concept site to confirm the transfer
> of 2 (two) Euros, but of course this step could be fully
> automatic without your knowledge as my website could
> display just anything else.
>
> You have to press the Button 'step 2' to actually transfer
> 2 Euros, and the only verification you'll have of this
> bug working is the confirmation-email from PayPal which
> will show 2 Euros instead of 1 (if you choose to check
> those emails at all..)
>
> This Proof of Concept transfers only 1 Euro more than
> the confirmed amount, but I also tried with
> 200 Euro and it works just the same.
>
> **********************
> Screenshots
> **********************
>
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-1.png
>
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-2.png
>
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-3.png
>
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-4.png
>
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-5.png
>
> **********************
> PayPal Bug Bounty (submitted 6th of July 2014)
> **********************
> This BUG was submitted to PayPal as EIBBP-29086, but
> PayPal denies this as a security vulnerability.
> Anyway, me personally, I'm really having trouble
> confirming payments with PayPal as i know that
> i don't confirm the displayed amount, but simply any
> amount the shop-software chooses to transfer (be it
> because of a simple software-bug or bad behaviour).
>
> PayPal says this is 'intended behaviour' due to small
> changes in shipping costs and such.
>
> They deny any Bounty.
>
> **********************
> Proposed Fixes
> **********************
> 1. PayPal should require that any higher amount than the
> confirmed one has to be reconfirmed on their website.
> This would be the correct way to implement this.
>
> 2. PayPal could allow a small difference to what was
> confirmed and should at the same time display this at
> the confirmation page, maybe like this:
> "You confirm 100 Euro (+-10 Euro for adopted shipping)"
>
> 3. Temporary Fix:
> A Browser-Extension should change the PayPal confirmation
> Website according to this screenshot:
>
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-proposed-fix.png
>
> best regards,
>
> Jan Kechel
>
>
>
>
>
> --
>
> Glen Roberts
> Principal Consultant
> Charlotte Cybersecurity, Inc.
> (980) 328-5797
>

- -- 
publictimestamp.org/ptb/PTB-21147 whirlpool2 2014-07-17 18:01:46
0DEB1D6AFEF51133863F6F3DAF9DC7ED4BB5AA51A417CA0160483FA3A4C8FCB69ECBDA
D0E0FCE8018F2E9F5226FD52D912724883B6700D5D11553B5C5E0FCF26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAwAGBQJTyEG0AAoJEECuQ42+sZdOdEcP/Rl1PBlMpdpj1wX2Lsa6Ewc6
kYg8ftu/t2BBPFtbdsT2kbO1cYdzF45v1RB2jPqxae87AiFkxOKfM0LsqjZMygp6
iRWNk4EaLBEe9spDS7M3VdOL1l5QgDHtOqOIE+ZcJY/e7LqCJOVWxcVpt4SBAC8n
/uvsvOQE36Lzpw6fSAB+zUeNyc62nIzQglC0dnJ2KngVA9jXI8Y16/PGGLj6w8Du
9vPkS7p9vm0FTz18iFAimPZgeZf58MWhJGDuvclEDQdblZZsHyoNP1b8wF3HXJwU
b2aAsJfF8ToBQ8MGKUVB/WjBwRC5NMoKRSUkgCVVKkVk70GL167hSMjoTckJIFCb
+X+9JgRhV3HGSvLruBAkHalmjFMpu2WbyzfgFOI9mUZIYEFOVSZXOil6/l9bA0sW
NaerK6cj+l+4ZL9xQmpu21XLFO3dt3DPaYS7bDmSbTIUvNQIV0B9mc4lCt9sL4zf
qAveKe7iPIUovwcCA/EPwuTBXYNzuWoh3jiYlw31ziPaVou9bGfiEhucsISdzpIY
9wb2udfTmwTprpp5wNxcintyAg1Nj8E9G/82NDuVQlpimHajfZe2P2x0NEUe06wA
v/KkJnCdPux5yA3Vl++3yR+Rpy3b7Hh+uC6QrCHrK2fjT2/KQtg5rCfA/+NFUzfU
FHDzyNU2miDOftrjo7eJ
=uTJ4
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists