Just because they deny it does not mean you did not unveil a valid bug. Personally, if a "feature" like this was really intended, I'd like to see the Paypal documentation where they highlight the utility and limits of such a function. Since when did alteration of data and integrity issues cease to be bugs and/or vulnerabilities?
On Thu, Jul 17, 2014 at 8:15 AM, Jan Kechel <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > ********************** > Title: > ********************** > Transfer any amount regardless of what customer confirmed > > ********************** > Short description: > ********************** > In PayPal Express Checkout the Online-Shop can transfer > any amount, no matter which amount the client actually > confirmed at the PayPal website. > > ********************** > Steps to reproduce: > ********************** > 1. SetExpressCheckout with any amount (e.g. 1 Dollar) > 2. After confirmation of that Dollar simply call > DoExpressCheckoutPayment with any amount (e.g. 200 Dollar) > > ********************** > Proof of Concept: > ********************** > URL: > http://lvps91-250-100-5.dedicated.hosteurope.de:43926 > > Just click 'step 1', login with your paypal-account and > confirm 1 (one) Euro. After that you'll be redirected > back to my Proof of Concept site to confirm the transfer > of 2 (two) Euros, but of course this step could be fully > automatic without your knowledge as my website could > display just anything else. > > You have to press the Button 'step 2' to actually transfer > 2 Euros, and the only verification you'll have of this > bug working is the confirmation-email from PayPal which > will show 2 Euros instead of 1 (if you choose to check > those emails at all..) > > This Proof of Concept transfers only 1 Euro more than > the confirmed amount, but I also tried with > 200 Euro and it works just the same. > > ********************** > Screenshots > ********************** > > http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-1.png > > http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-2.png > > http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-3.png > > http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-4.png > > http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-production-api-5.png > > ********************** > PayPal Bug Bounty (submitted 6th of July 2014) > ********************** > This BUG was submitted to PayPal as EIBBP-29086, but > PayPal denies this as a security vulnerability. > Anyway, me personally, I'm really having trouble > confirming payments with PayPal as i know that > i don't confirm the displayed amount, but simply any > amount the shop-software chooses to transfer (be it > because of a simple software-bug or bad behaviour). > > PayPal says this is 'intended behaviour' due to small > changes in shipping costs and such. > > They deny any Bounty. > > ********************** > Proposed Fixes > ********************** > 1. PayPal should require that any higher amount than the > confirmed one has to be reconfirmed on their website. > This would be the correct way to implement this. > > 2. PayPal could allow a small difference to what was > confirmed and should at the same time display this at > the confirmation page, maybe like this: > "You confirm 100 Euro (+-10 Euro for adopted shipping)" > > 3. Temporary Fix: > A Browser-Extension should change the PayPal confirmation > Website according to this screenshot: > > http://lvps91-250-100-5.dedicated.hosteurope.de:43926/paypal-proposed-fix.png > > best regards, > > Jan Kechel > > - -- > publictimestamp.org/ptb/PTB-21144 ripemd256 2014-07-17 09:01:45 > 06D21B6FC2FA0D77CDC2F4CB2AC5511E1C2399AC3EEDD8ADB16A89F291B87945 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQIcBAEBAwAGBQJTx75QAAoJEECuQ42+sZdOdiAP/iQ+kOTiWVJF0BGFIgDQih8f > i+pYSas8mA7m5hsVmRViHA5FOCqr7ickKO3qBr41r7t3rz/iinNdu+poVIAHr2jd > RwRaIxXk0cem4Kh2MVmEffkUyTXWDt6aMfaLelAX06QszlDtCp+/R0RTZjMasl4g > qpRflwezx6Hynoex3XeEiUgS3MothITmT2henQMv9IiUpHQ6qOq/7E46LCIWUine > pwzphmODYCODj84ebhrZgWB4wNNSIFP+/xAHulU08xc39PlDdSDThGJB5lGynTWS > lSn7J7AA0ZloBcvym4utgLMyYPyxrGfnpaH7Zg2T70dbaS7uzqFJmJZb8O9ReEnx > DEFJoUKy/qES3hFcbDb10HRvqX+Sd/6uC0Cgt8CuPkI7q18u6V3P95BxI0wtRfbQ > 5r3bkMHAr71f7/UP0nxcQh2kKi+3Fv5d25wNWt6RGRw4LsvAIYj1vKUXgqGdNhvi > 7w+jGX7i/VilQ5YMf31/QtsM8tbXHPzqFb5Po1klnUqCDSGJYAd61vm/qgpi8+9r > dWuTJzjUsCjcJkv0yTt1jtcAHquZxTi+IEJM/O1HBZd//p7Wjy8kd892z/Fss6GI > m7yeKL8s4YbCpB4XyULTAAGKOtqNscUcHJXbeoEnnF6VEhhcxgMFw34F+mkbw1uf > B0dILrmsTMFrYi58Cmzv > =wk1e > -----END PGP SIGNATURE----- > > -- Glen Roberts Principal Consultant Charlotte Cybersecurity, Inc. (980) 328-5797 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
