back to article PayPal Manager bug left web stores open to cyber-burglars

eBay-owned PayPal has plugged a vulnerability that potentially allowed thieves to seize control of merchants' online stores and empty the shelves. The bug – discovered by security researcher Mark Litchfield of Securatary – affected PayPal Manager, which is used to manage PayFlow accounts by people selling stuff online. PayPal …

COMMENTS

This topic is closed for new posts.
  1. monkeyfish

    >

    Looks like someone forgot to close a bracket, the PDF link extends to all the text below it. Also, the mobile site has no 'send corrections' link.

  2. Ted Treen
    Pint

    Makes a nice change...

    To see someone:-

    a) sort it out very quickly

    b) put their hand up to it without equivocating woffle

    c) say "thanks" to the finder.

    It's a pleasant change. A pint for PayPal.

  3. Anonymous Coward
    Anonymous Coward

    Not a proper corporate

    A proper corporate would have brought the cops in to arrest the security researcher, lobbied for harsher penalties for "computer crime" and, of course, left the bug un-patched for the next CIO to deal with. Oh, and blamed $ENEMY_DU_JOUR for the subsequent slurp of customer info from the unencrypted file in the web root named "customer-info_-_full.txt" right next to the recently renamed file "dot-htaccess"

    1. Anonymous Coward
      Anonymous Coward

      Re: Not a proper corporate

      @ql: No what you describe is what governments and their agencies do. Possibly also getting someone arrested or even extradited on suspicion of terrorism (or aiding terrorists).

  4. anujnayar

    Security researcher followed procedure

    Anuj from PayPal here. This story is from last week.

    http://threatpost.com/paypal-fixes-serious-account-hijacking-bug-in-manager/106117

    The potential vulnerability was responsibly reported to PayPal by the security researcher before he went public and quickly addressed by the PayPal team. PayPal has conducted a thourough investigation of this situation and can confirm that there is no evidence that PayPal customer information was compromised.

  5. JCitizen
    Coffee/keyboard

    Well I'd hope so!!

    During the Heartbleed fiasco, I was testing PayPal servers and one of them was mis-configured, and presented a vulnerability not related to heart bleed. They said they'd look into it. I haven't retested them yet, but we'll see.

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022