Active Members akkiliON Posted May 31, 2013 Active Members Report Share Posted May 31, 2013 If you're making a lot of money and you want to keep records of your transactions, then using Paypal's Reporting system you can effectively measure and manage your business.Nir Goldshlager, founder of Breaksec and Security Researcher reported critical flaws in Paypal Reporting system that allowed him to steal private data of any PayPal account.Exploiting the vulnerabilities he discovered, allowed him to access the financial information of any PayPal user including victim's shipping address Email addresses, Phone Number, Item name, Item Amount, Full name, Transaction ID, Invoice ID, Transaction, Subject, Account ID, Paypal Reference ID etc.He found that PayPal is using the Actuate Iportal Application (a third party app) to display customer reports, so Nir downloaded the trial version of this app for testing purpose from its official website.After going deeply through the source code of trial version, Nir located a file named getfolderitems.do that allowed him to access user's data without credentials.Nir found that, Getfolderitems.do file having an ID parameter of 7-8 numeric characters which can be manipulated get the secret token id of respective user with same ID. i.e getfolderitems.do?id=392302.i.e URL : https://business.paypal.com/acweb/getfolderitems.do?folder=/users/tokenidofthevictim/ , where tokenidofthevictim is the secret token of the victim.This flaw that has been exploited for demo purpose only, is now fixed by Security team of Paypal.Hacking PayPal accounts to steal user Private data - TheHackerNews Quote Link to comment Share on other sites More sharing options...
