Sign in / up

back to article PayPal Manager bug left web stores open to cyber-burglars

eBay-owned PayPal has plugged a vulnerability that potentially allowed thieves to seize control of merchants' online stores and empty the shelves. The bug – discovered by security researcher Mark Litchfield of Securatary – affected PayPal Manager, which is used to manage PayFlow accounts by people selling stuff online. PayPal …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. monkeyfish

    >

    Looks like someone forgot to close a bracket, the PDF link extends to all the text below it. Also, the mobile site has no 'send corrections' link.

    4 0
  2. Ted Treen
    Pint

    Makes a nice change...

    To see someone:-

    a) sort it out very quickly

    b) put their hand up to it without equivocating woffle

    c) say "thanks" to the finder.

    It's a pleasant change. A pint for PayPal.

    7 0
  3. Anonymous Coward
    Anonymous Coward

    Not a proper corporate

    A proper corporate would have brought the cops in to arrest the security researcher, lobbied for harsher penalties for "computer crime" and, of course, left the bug un-patched for the next CIO to deal with. Oh, and blamed $ENEMY_DU_JOUR for the subsequent slurp of customer info from the unencrypted file in the web root named "customer-info_-_full.txt" right next to the recently renamed file "dot-htaccess"

    3 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Not a proper corporate

      @ql: No what you describe is what governments and their agencies do. Possibly also getting someone arrested or even extradited on suspicion of terrorism (or aiding terrorists).

      2 0
  4. anujnayar

    Security researcher followed procedure

    Anuj from PayPal here. This story is from last week.

    http://threatpost.com/paypal-fixes-serious-account-hijacking-bug-in-manager/106117

    The potential vulnerability was responsibly reported to PayPal by the security researcher before he went public and quickly addressed by the PayPal team. PayPal has conducted a thourough investigation of this situation and can confirm that there is no evidence that PayPal customer information was compromised.

    2 2
  5. JCitizen
    Coffee/keyboard

    Well I'd hope so!!

    During the Heartbleed fiasco, I was testing PayPal servers and one of them was mis-configured, and presented a vulnerability not related to heart bleed. They said they'd look into it. I haven't retested them yet, but we'll see.

    0 0
This topic is closed for new posts.

Other stories you might like