lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <53C7BE5E.7050703@kechel.de>
Date: Thu, 17 Jul 2014 13:15:26 +0100
From: Jan Kechel <jan@...hel.de>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] Ignore the amount customers confirm is no security
 vulnerability according to PayPal


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

**********************
Title:
**********************
Transfer any amount regardless of what customer confirmed

**********************
Short description:
**********************
In PayPal Express Checkout the Online-Shop can transfer
any amount, no matter which amount the client actually
confirmed at the PayPal website.

**********************
Steps to reproduce:
**********************
1. SetExpressCheckout with any amount (e.g. 1 Dollar)
2. After confirmation of that Dollar simply call
DoExpressCheckoutPayment with any amount (e.g. 200 Dollar)

**********************
Proof of Concept:
**********************
URL:
http://lvps91-250-100-5.dedicated.hosteurope.de:43926

Just click 'step 1', login with your paypal-account and
confirm 1 (one) Euro. After that you'll be redirected
back to my Proof of Concept site to confirm the transfer
of 2 (two) Euros, but of course this step could be fully
automatic without your knowledge as my website could
display just anything else.

You have to press the Button 'step 2' to actually transfer
2 Euros, and the only verification you'll have of this
bug working is the confirmation-email from PayPal which
will show 2 Euros instead of 1 (if you choose to check
those emails at all..)

This Proof of Concept transfers only 1 Euro more than
the confirmed amount, but I also tried with
200 Euro and it works just the same.

**********************
Screenshots
**********************
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-1.png
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-2.png
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-3.png
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-4.png
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-5.png

**********************
PayPal Bug Bounty (submitted 6th of July 2014)
**********************
This BUG was submitted to PayPal as EIBBP-29086, but
PayPal denies this as a security vulnerability.
Anyway, me personally, I'm really having trouble
confirming payments with PayPal as i know that
i don't confirm the displayed amount, but simply any
amount the shop-software chooses to transfer (be it
because of a simple software-bug or bad behaviour).

PayPal says this is 'intended behaviour' due to small
changes in shipping costs and such.

They deny any Bounty.

**********************
Proposed Fixes
**********************
1. PayPal should require that any higher amount than the
confirmed one has to be reconfirmed on their website.
This would be the correct way to implement this.

2. PayPal could allow a small difference to what was
confirmed and should at the same time display this at
the confirmation page, maybe like this:
"You confirm 100 Euro (+-10 Euro for adopted shipping)"

3. Temporary Fix:
A Browser-Extension should change the PayPal confirmation
Website according to this screenshot:
http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-proposed-fix.png
 
best regards,

Jan Kechel

- -- 
publictimestamp.org/ptb/PTB-21144 ripemd256 2014-07-17 09:01:45
06D21B6FC2FA0D77CDC2F4CB2AC5511E1C2399AC3EEDD8ADB16A89F291B87945

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAwAGBQJTx75QAAoJEECuQ42+sZdOdiAP/iQ+kOTiWVJF0BGFIgDQih8f
i+pYSas8mA7m5hsVmRViHA5FOCqr7ickKO3qBr41r7t3rz/iinNdu+poVIAHr2jd
RwRaIxXk0cem4Kh2MVmEffkUyTXWDt6aMfaLelAX06QszlDtCp+/R0RTZjMasl4g
qpRflwezx6Hynoex3XeEiUgS3MothITmT2henQMv9IiUpHQ6qOq/7E46LCIWUine
pwzphmODYCODj84ebhrZgWB4wNNSIFP+/xAHulU08xc39PlDdSDThGJB5lGynTWS
lSn7J7AA0ZloBcvym4utgLMyYPyxrGfnpaH7Zg2T70dbaS7uzqFJmJZb8O9ReEnx
DEFJoUKy/qES3hFcbDb10HRvqX+Sd/6uC0Cgt8CuPkI7q18u6V3P95BxI0wtRfbQ
5r3bkMHAr71f7/UP0nxcQh2kKi+3Fv5d25wNWt6RGRw4LsvAIYj1vKUXgqGdNhvi
7w+jGX7i/VilQ5YMf31/QtsM8tbXHPzqFb5Po1klnUqCDSGJYAd61vm/qgpi8+9r
dWuTJzjUsCjcJkv0yTt1jtcAHquZxTi+IEJM/O1HBZd//p7Wjy8kd892z/Fss6GI
m7yeKL8s4YbCpB4XyULTAAGKOtqNscUcHJXbeoEnnF6VEhhcxgMFw34F+mkbw1uf
B0dILrmsTMFrYi58Cmzv
=wk1e
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ