[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] PayPal donation form reveals beneficiary's email address
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] PayPal donation form reveals beneficiary's email address
- From: Eitan Caspi <eitancaspi@xxxxxxxxx>
- Date: Fri, 1 May 2009 12:27:59 -0700 (PDT)
Suggested severity level: Low-to-Medium.
Type of Risk: Information Disclosure (PayPal account authentication (partial)
and private email address).
Local / Remote activated: Remote.
Affected Software: PayPal web site, Donation form.
Access was tested and verified using Internet Explorer 8.0, Firefox 3.0.10 and
Opera 9.64.
Summary: By clicking a recent version (so I believe, I can't trace and test
various versions) of a PayPal Donation button, the beneficiary's primary email
address is displayed in the header of the donation form, and of course, in the
form's source code.
This email address is also the one used by the beneficiary to login into its
account in PayPal and manage it operatively and financially.
The email address is displayed although in the process of creating the donation
button – PayPal enable to choose an option to hide the email address, and this
option is not working even if used (see the following "Self Reproduction"
section for details).
Possible Abuses: Phishers may use the beneficiary's email address to send
him/her an attack email to try and break into this person's PayPal account
using a phishing email and a malicious web page.
Other attackers can simply use the email address to brute force the
beneficiary's PayPal account since the PayPal authentication is based on two
values – the beneficiary's email address and a password, so now only the
password is the unknown.
Spammers may simply harvest the beneficiary's email address to add it to the
list of their spamming targets.
Reproduction:
1. Perform a search of any newly created donation buttons on web sites. For
example search using Google for "donate via PayPal" or "donate using PayPal"
pages indexed by Google in the last month (you may also try this queries
without time limitation, it may also work):
a.
http://www.google.com/search?hl=en&lr=&safe=off&rlz=1B3GGGL_enIL269IL269&q=%22donate+via+paypal%22&as_qdr=m&btnG=Search
b.
http://www.google.com/search?hl=en&lr=&safe=off&rlz=1B3GGGL_enIL269IL269&q=%22donate+using+paypal%22&as_qdr=m&btnG=Search
2. Find in the search results sites which ask for a donation and click any link
that leads to such site.
3. At the donation request page you landed at – click the donation button or
link (If you use the Firefox security add-on "NoScript" (http://noscript.net) –
turn it off (or temporary allow the beneficiary's site) before clicking the
PayPal button or link, or you will be redirected away from the donation form to
a main PayPal page).
Prefer pages with a more recent donation icons originated from
https://www.paypal.com/en_US/i/btn/btn_donateCC_LG.gif (with logos of credit
card firms) or https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif (without
the credit card firms logos(.
4. Read the beneficiary's primary email address at the top of the donation form
in PayPal (located in the "h1" section of the HTML code of the form).
Self Reproduction (making your own button and clicking it):
1. Create a PayPal account at
https://www.paypal.com/us/cgi-bin/webscr?cmd=_registration-run . A "Personal"
account type will do.
2. After completing the creation of your account at PayPal, browse to a page
made for creating the donation button -
https://www.paypal.com/cgi-bin/webscr?cmd=_button-designer&factory_type=donate .
3. At this page, at the "Email address to receive payments" field, click the
"Log in" link. You will go via the regular PayPal authentication process and
then will be redirected back to the button creation page, this time as an
authenticated PayPal customer.
4. In the "Merchant ID for purchase transactions" field choose the option of
"Secure merchant account ID".
Next to this field there will be a link titled "Why is this secure?"
(https://www.paypal.com/il/cgi-bin/webscr?cmd=xpt/Merchant/popup/BDSecureMerchantId)
which states: "A secure merchant account ID is a number that only PayPal can
match to your real email address in your profile. Your primary e-mail address
is never displayed, so it cannot be used by spammers.
If you choose a plain text e-mail address, however, it will be displayed in the
button code. Anyone, including spammers, can copy this address for their own
use."
5. Click "Create Button" and then copy the code created for the donation button
and place it as part of the HTML code of any web page you own.
6. Load the web page you just created to be displayed using a web browser and
click the "Donate" button (see the above note about "NoScript"). You will be
directed to the PayPal donation form where you will be able to read the primary
email address of your PayPal account on the top of form (located in the "h1"
section of the HTML code of the form).
Exploit Code: There is no need for an exploit code.
Direct solution: Not any that I am aware of at the time of writing this
advisory. I guess the solution can only be made by PayPal since its their web
site form.
Workarounds: Not any that I am aware of at the time of writing this advisory.
I can only advise PayPal donation users to stop using the donation button until
PayPal solves this issue, and thus to remove any PayPal donation buttons and
links from their site until this issue is fixed.
Vendor response:
PayPal was notified by email on the 25-April-2009 (sitesecurity@xxxxxxxxxx ,
found at
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside).
Two days later, after some email exchange, the following final response was
given by PayPal:
"
I’ve discussed with the product team and there is probably some language
cleanup needed on the signup forms. The intent of the feature is not to
prevent showing the email address during a payment flow, but to prevent the
harvesting of the email address from the site hosting the donation button. The
bug, if any, is in the language describing the feature not in the feature
itself. Thank you for bringing it to our attention. The product team is
filing a change request to adjust the language and make it clearer.
"
So the mentioned above security option is for making a more secure button code
for the beneficiary's web site, but still PayPal did not answer about the issue
of their own form exposing the beneficiary's email address at their own web
site.
Credit:
Eitan Caspi
Israel
Email: eitancaspi (at) yahoo (dot) com
Past security advisories:
1.
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/kb/315085/en-us
http://online.securityfocus.com/bid/4053
2.
http://support.microsoft.com/?kbid=329350
http://online.securityfocus.com/bid/5972
3.
http://www.securityfocus.com/archive/1/301624
http://online.securityfocus.com/bid/6280
4.
http://online.securityfocus.com/archive/1/309442
http://online.securityfocus.com/bid/6736
5.
http://www.securityfocus.com/archive/1/314361
http://www.securityfocus.com/bid/7046
6.
http://www.securityfocus.com/archive/1/393800
7.
http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded
8.
http://www.securityfocus.com/archive/1/archive/1/446220/100/0/
9.
http://www.securityfocus.com/archive/1/459140/30/90/threaded
http://www.securityfocus.com/bid/22413
10.
http://www.securityfocus.com/archive/1/460664/30/60/threaded
11.
http://www.securityfocus.com/archive/1/472216/30/0/threaded
Eitan Caspi
Israel
Security blogs (Hebrew) - http://security.caspi.org.il
"Technology is like sex. No hands on - No fun." (Eitan
Caspi)
Get your new Email address!
Grab the Email name you've always wanted before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/