homepage Welcome to WebmasterWorld Guest from 54.196.62.132
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Feature or Security Hole?
Interesting payPal experience.
rocknbil




msg:3623847
 6:46 pm on Apr 10, 2008 (gmt 0)

A customer wanted to pay with a card not supported by our website. She calls the store. Wife lets her know she can pay via payPal, gives her valid payPal payment address, then says, "I'm at the store, contact me at the store email address if you have any problems."

Bad idea. She made the payment to the store email address, which didn't exist in payPal.

It was our fault for not adding the store address to payPal, but we never thought we'd need it. So after the payment I went in, added it as a second email address, verified it, and voila - there's the payment in the account summary. Cool . . .

Or is it?

How many payments are out there floating around with errant email addresses? What if I went in to a high-volume eBay seller and started adding typos of their payment address to MY account? Given the fact that it's a free account or some other that I could verify. Don't think for a minute I would . . . but someone could . . .

Does the above scenario seem like a major security hole or a feature?

 

physics




msg:3623851
 6:53 pm on Apr 10, 2008 (gmt 0)

Interesting ... you would have to be able to verify the email addresses you added though. But if it's an ebay power seller that uses a yahoo account then trying misspellings might work. I hope that there aren't too many of these 'orphan' transactions floating around at any one time, presumably they die or are canceled by the user after a certain period (hopefully!).

Insomniak




msg:3624013
 10:01 pm on Apr 10, 2008 (gmt 0)

I wonder how long they would let the invalid email payment bounce around if you hadn't added it. Might make sense for them to leave it available for just 48hr so people could sort things out and then reject the payment if it wasnt fixed. Knowing paypal they probably just keep all these invalid transactions.

Guess this is another example of how using a custom email at your own domain is better then using something like gmail with free accounts where someone could register name typos.

Not sure what they were up to but someone started a wordpress blog the other day using an email from one of my domains (a catch all only used by me) ... so the wordpress install instructions were sent to me, they couldnt even log in.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved