Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Feature or Security Hole?

Interesting payPal experience.

6:46 pm on Apr 10, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
votes: 0

A customer wanted to pay with a card not supported by our website. She calls the store. Wife lets her know she can pay via payPal, gives her valid payPal payment address, then says, "I'm at the store, contact me at the store email address if you have any problems."

Bad idea. She made the payment to the store email address, which didn't exist in payPal.

It was our fault for not adding the store address to payPal, but we never thought we'd need it. So after the payment I went in, added it as a second email address, verified it, and voila - there's the payment in the account summary. Cool . . .

Or is it?

How many payments are out there floating around with errant email addresses? What if I went in to a high-volume eBay seller and started adding typos of their payment address to MY account? Given the fact that it's a free account or some other that I could verify. Don't think for a minute I would . . . but someone could . . .

Does the above scenario seem like a major security hole or a feature?

6:53 pm on Apr 10, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 27, 2001
votes: 0

Interesting ... you would have to be able to verify the email addresses you added though. But if it's an ebay power seller that uses a yahoo account then trying misspellings might work. I hope that there aren't too many of these 'orphan' transactions floating around at any one time, presumably they die or are canceled by the user after a certain period (hopefully!).
10:01 pm on Apr 10, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 2, 2006
votes: 0

I wonder how long they would let the invalid email payment bounce around if you hadn't added it. Might make sense for them to leave it available for just 48hr so people could sort things out and then reject the payment if it wasnt fixed. Knowing paypal they probably just keep all these invalid transactions.

Guess this is another example of how using a custom email at your own domain is better then using something like gmail with free accounts where someone could register name typos.

Not sure what they were up to but someone started a wordpress blog the other day using an email from one of my domains (a catch all only used by me) ... so the wordpress install instructions were sent to me, they couldnt even log in.