lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABO57FQd_Nc9_9O_xKBX=0NE8aMzw7NvLtngzYBoYz8RTGNvfg@mail.gmail.com>
Date: Thu, 17 Jul 2014 16:47:14 -0400
From: Glen Roberts <glen@...rsec.com>
To: Jan Kechel <jan@...hel.de>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] Ignore the amount customers confirm is no security
 vulnerability according to PayPal

Just because they deny it does not mean you did not unveil a valid bug.
Personally, if a "feature" like this was really intended, I'd like to see
the Paypal documentation where they highlight the utility and limits of
such a function. Since when did alteration of data and integrity issues
cease to be bugs and/or vulnerabilities?


On Thu, Jul 17, 2014 at 8:15 AM, Jan Kechel <jan@...hel.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> **********************
> Title:
> **********************
> Transfer any amount regardless of what customer confirmed
>
> **********************
> Short description:
> **********************
> In PayPal Express Checkout the Online-Shop can transfer
> any amount, no matter which amount the client actually
> confirmed at the PayPal website.
>
> **********************
> Steps to reproduce:
> **********************
> 1. SetExpressCheckout with any amount (e.g. 1 Dollar)
> 2. After confirmation of that Dollar simply call
> DoExpressCheckoutPayment with any amount (e.g. 200 Dollar)
>
> **********************
> Proof of Concept:
> **********************
> URL:
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926
>
> Just click 'step 1', login with your paypal-account and
> confirm 1 (one) Euro. After that you'll be redirected
> back to my Proof of Concept site to confirm the transfer
> of 2 (two) Euros, but of course this step could be fully
> automatic without your knowledge as my website could
> display just anything else.
>
> You have to press the Button 'step 2' to actually transfer
> 2 Euros, and the only verification you'll have of this
> bug working is the confirmation-email from PayPal which
> will show 2 Euros instead of 1 (if you choose to check
> those emails at all..)
>
> This Proof of Concept transfers only 1 Euro more than
> the confirmed amount, but I also tried with
> 200 Euro and it works just the same.
>
> **********************
> Screenshots
> **********************
>
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-1.png
>
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-2.png
>
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-3.png
>
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-4.png
>
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-5.png
>
> **********************
> PayPal Bug Bounty (submitted 6th of July 2014)
> **********************
> This BUG was submitted to PayPal as EIBBP-29086, but
> PayPal denies this as a security vulnerability.
> Anyway, me personally, I'm really having trouble
> confirming payments with PayPal as i know that
> i don't confirm the displayed amount, but simply any
> amount the shop-software chooses to transfer (be it
> because of a simple software-bug or bad behaviour).
>
> PayPal says this is 'intended behaviour' due to small
> changes in shipping costs and such.
>
> They deny any Bounty.
>
> **********************
> Proposed Fixes
> **********************
> 1. PayPal should require that any higher amount than the
> confirmed one has to be reconfirmed on their website.
> This would be the correct way to implement this.
>
> 2. PayPal could allow a small difference to what was
> confirmed and should at the same time display this at
> the confirmation page, maybe like this:
> "You confirm 100 Euro (+-10 Euro for adopted shipping)"
>
> 3. Temporary Fix:
> A Browser-Extension should change the PayPal confirmation
> Website according to this screenshot:
>
> http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-proposed-fix.png
>
> best regards,
>
> Jan Kechel
>
> - --
> publictimestamp.org/ptb/PTB-21144 ripemd256 2014-07-17 09:01:45
> 06D21B6FC2FA0D77CDC2F4CB2AC5511E1C2399AC3EEDD8ADB16A89F291B87945
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBAwAGBQJTx75QAAoJEECuQ42+sZdOdiAP/iQ+kOTiWVJF0BGFIgDQih8f
> i+pYSas8mA7m5hsVmRViHA5FOCqr7ickKO3qBr41r7t3rz/iinNdu+poVIAHr2jd
> RwRaIxXk0cem4Kh2MVmEffkUyTXWDt6aMfaLelAX06QszlDtCp+/R0RTZjMasl4g
> qpRflwezx6Hynoex3XeEiUgS3MothITmT2henQMv9IiUpHQ6qOq/7E46LCIWUine
> pwzphmODYCODj84ebhrZgWB4wNNSIFP+/xAHulU08xc39PlDdSDThGJB5lGynTWS
> lSn7J7AA0ZloBcvym4utgLMyYPyxrGfnpaH7Zg2T70dbaS7uzqFJmJZb8O9ReEnx
> DEFJoUKy/qES3hFcbDb10HRvqX+Sd/6uC0Cgt8CuPkI7q18u6V3P95BxI0wtRfbQ
> 5r3bkMHAr71f7/UP0nxcQh2kKi+3Fv5d25wNWt6RGRw4LsvAIYj1vKUXgqGdNhvi
> 7w+jGX7i/VilQ5YMf31/QtsM8tbXHPzqFb5Po1klnUqCDSGJYAd61vm/qgpi8+9r
> dWuTJzjUsCjcJkv0yTt1jtcAHquZxTi+IEJM/O1HBZd//p7Wjy8kd892z/Fss6GI
> m7yeKL8s4YbCpB4XyULTAAGKOtqNscUcHJXbeoEnnF6VEhhcxgMFw34F+mkbw1uf
> B0dILrmsTMFrYi58Cmzv
> =wk1e
> -----END PGP SIGNATURE-----
>
>


-- 

Glen Roberts
Principal Consultant
Charlotte Cybersecurity, Inc.
(980) 328-5797

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ