Full Disclosure mailing list archives
Re: Ignore the amount customers confirm is no security vulnerability according to PayPal
From: Glen Roberts <glen () charsec com>
Date: Thu, 17 Jul 2014 16:47:14 -0400
Just because they deny it does not mean you did not unveil a valid bug. Personally, if a "feature" like this was really intended, I'd like to see the Paypal documentation where they highlight the utility and limits of such a function. Since when did alteration of data and integrity issues cease to be bugs and/or vulnerabilities? On Thu, Jul 17, 2014 at 8:15 AM, Jan Kechel <jan () kechel de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 ********************** Title: ********************** Transfer any amount regardless of what customer confirmed ********************** Short description: ********************** In PayPal Express Checkout the Online-Shop can transfer any amount, no matter which amount the client actually confirmed at the PayPal website. ********************** Steps to reproduce: ********************** 1. SetExpressCheckout with any amount (e.g. 1 Dollar) 2. After confirmation of that Dollar simply call DoExpressCheckoutPayment with any amount (e.g. 200 Dollar) ********************** Proof of Concept: ********************** URL: http://lvps91-250-100-5.dedicated.hosteurope.de:43926 Just click 'step 1', login with your paypal-account and confirm 1 (one) Euro. After that you'll be redirected back to my Proof of Concept site to confirm the transfer of 2 (two) Euros, but of course this step could be fully automatic without your knowledge as my website could display just anything else. You have to press the Button 'step 2' to actually transfer 2 Euros, and the only verification you'll have of this bug working is the confirmation-email from PayPal which will show 2 Euros instead of 1 (if you choose to check those emails at all..) This Proof of Concept transfers only 1 Euro more than the confirmed amount, but I also tried with 200 Euro and it works just the same. ********************** Screenshots ********************** http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-1.png http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-2.png http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-3.png http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-4.png http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-5.png ********************** PayPal Bug Bounty (submitted 6th of July 2014) ********************** This BUG was submitted to PayPal as EIBBP-29086, but PayPal denies this as a security vulnerability. Anyway, me personally, I'm really having trouble confirming payments with PayPal as i know that i don't confirm the displayed amount, but simply any amount the shop-software chooses to transfer (be it because of a simple software-bug or bad behaviour). PayPal says this is 'intended behaviour' due to small changes in shipping costs and such. They deny any Bounty. ********************** Proposed Fixes ********************** 1. PayPal should require that any higher amount than the confirmed one has to be reconfirmed on their website. This would be the correct way to implement this. 2. PayPal could allow a small difference to what was confirmed and should at the same time display this at the confirmation page, maybe like this: "You confirm 100 Euro (+-10 Euro for adopted shipping)" 3. Temporary Fix: A Browser-Extension should change the PayPal confirmation Website according to this screenshot: http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-proposed-fix.png best regards, Jan Kechel - -- publictimestamp.org/ptb/PTB-21144 ripemd256 2014-07-17 09:01:45 06D21B6FC2FA0D77CDC2F4CB2AC5511E1C2399AC3EEDD8ADB16A89F291B87945 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAwAGBQJTx75QAAoJEECuQ42+sZdOdiAP/iQ+kOTiWVJF0BGFIgDQih8f i+pYSas8mA7m5hsVmRViHA5FOCqr7ickKO3qBr41r7t3rz/iinNdu+poVIAHr2jd RwRaIxXk0cem4Kh2MVmEffkUyTXWDt6aMfaLelAX06QszlDtCp+/R0RTZjMasl4g qpRflwezx6Hynoex3XeEiUgS3MothITmT2henQMv9IiUpHQ6qOq/7E46LCIWUine pwzphmODYCODj84ebhrZgWB4wNNSIFP+/xAHulU08xc39PlDdSDThGJB5lGynTWS lSn7J7AA0ZloBcvym4utgLMyYPyxrGfnpaH7Zg2T70dbaS7uzqFJmJZb8O9ReEnx DEFJoUKy/qES3hFcbDb10HRvqX+Sd/6uC0Cgt8CuPkI7q18u6V3P95BxI0wtRfbQ 5r3bkMHAr71f7/UP0nxcQh2kKi+3Fv5d25wNWt6RGRw4LsvAIYj1vKUXgqGdNhvi 7w+jGX7i/VilQ5YMf31/QtsM8tbXHPzqFb5Po1klnUqCDSGJYAd61vm/qgpi8+9r dWuTJzjUsCjcJkv0yTt1jtcAHquZxTi+IEJM/O1HBZd//p7Wjy8kd892z/Fss6GI m7yeKL8s4YbCpB4XyULTAAGKOtqNscUcHJXbeoEnnF6VEhhcxgMFw34F+mkbw1uf B0dILrmsTMFrYi58Cmzv =wk1e -----END PGP SIGNATURE-----
-- Glen Roberts Principal Consultant Charlotte Cybersecurity, Inc. (980) 328-5797 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Ignore the amount customers confirm is no security vulnerability according to PayPal Jan Kechel (Jul 17)
- Re: Ignore the amount customers confirm is no security vulnerability according to PayPal Glen Roberts (Jul 17)