back to article Unconfirmed PayPal 0day auth flaw lingers after XSS gets fixed

Two vulnerabilities in popular payments platform PayPal emerged this week. A cross-site scripting flaw affecting the web payment service was fixed last month, but another flaw is yet to be resolved. The unresolved vulnerability creates a means to bypass the security approval procedure and two-factor authentication applied by …

  1. Pascal Monett Silver badge

    Ah, PayPal

    Don't like them much, but can't fault them for leaving stray issues. As far as security is concerned, they actually are leading the pack.

    The fact that the lawsuits would be humongous might be an incentive.

  2. sproot

    And yet

    I've recently started getting spam to my PayPal address, which is several years old. Wonder where it was leaked from, I don't think it's made available to sellers and I've never given it to anyone so they could send me money.

    1. Vic

      Re: And yet

      I don't think it's made available to sellers

      It is. Every seller gets your paypal address, even if you've already given them a different one.

      This is, IMO, one of the leakier aspects of PayPal :-(

      Vic.

      1. Nigel Whitfield.

        Re: And yet

        Yep; and a bit annoying if you have one PayPal account, with several completely different identities - I collect donations from a few different sites of mine in the one account, and there's a different email address for each, but no way to ensure that a different name is given for people based on which one they used.

        I'd like, for example, if people who donate for the Toppy site get a message thanking them for that, not referring to the fact they paid Nigel Whitfield.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019