Critical PayPal Security Hack: Multiple Thefts Now Reported–Check Your Settings

&gt; “We reported this in February 2019 to PayPal via HackerOne,” they say. “After an initial rejection and several discussions, PayPal paid a bug bounty of $4,400.” The pair have not heard from PayPal, they say, since April 2019. But this week “tried and could still use the virtual credit card for online payments.” That means, they told me, “the bug has not been fixed.”<p>&gt; But in terms of the Fenske and Mayer disclosure, the researchers told me that this is not fixed, even after PayPal’s “mitigation” statement.<p>If Paypal has known about it for a year and it still isn&#x27;t fixed, then it means that either 1. Paypal didn&#x27;t understand the bug report and &quot;fixed&quot; something else 2. Paypal understood the bug report, didn&#x27;t fix it, and is trying to save face. Either one of those sounds pretty bad for their security policy...

Even yesterday there was this thread <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22403565" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22403565</a><p>PayPal needs to seriously reevaluate how they want to approach the vulnerabilities. Why have a bounty program if you are going to act hostile towards the white hat community or even ignore their reports?

&gt; PayPal told me that “the security of customer accounts is a top priority for the company.”<p>I wish journalists would ridicule this corporate bullshit lingo instead of just relaying it. I&#x27;m fairly certain that anyone that ever had contact with PayPal&#x27;s (or Amazon&#x27;s, or probably any other large corporation&#x27;s) customer service with issues regarding security can attest that it&#x27;s absolutely not one of their top priorities.<p>They haven&#x27;t even bothered to make their official emails not look like phishing attempts. They don&#x27;t care about security.

Regarding security at PayPal, I&#x27;ve got a PayPal donation not long ago to my email address in the form of {@example.com. This email was not attached to my PayPal account, so I tried to add it to claim the payment, but client-side validation would reject it because of the funky { alias.<p>I&#x27;ve disabled the client-side check using the browser&#x27;s developer tools and my email was accepted by the server upon submission, so I could finally claim my 5 euros :P.<p>All of this was preceded by me contacting support about adding my email address. They couldn&#x27;t help me and told me to contact the sender, which would have been impossible, since it was a donation, and the only thing I had was a PayPal notification about a pending payment to that email address.<p>Of course the server should have accepted the email anyway, because it was valid, the issue just highlights a faulty development process at PayPal that allows server-side validation to be more permissive than client-side validation.

As a power user of Google Pay in conjunction with PayPal (in Germany) should I be worried now and remove - as recommended - my PayPal account from Google Pay? A lot of people around me also use it the same way as I do and no one heard of any such incident yet. Well, now that I told them, of course everyone heard of it at least ...<p>What are those &quot;multiple reports&quot;? I see the source is golem.de (don&#x27;t get me started on that one) and &quot;multiple reports&quot; can just mean that less than half a dozen people got busted on their Google accounts for not using proper 2FA in that context.<p>Also the article states that Google Pay provides a virtual credit card when used with PayPal. How? All I saw up until now was virtual debit cards.

Just as a PSA, it wasn&#x27;t until I looked at one of these articles in the last few days about PayPal that a screenshot showing how to enable 2FA demonstrated that TOTP-based authenticator apps are now allowed. For the longest time, PayPal was only allowing 2FA SMS after they chucked their old physical security keys.<p>Anyone who&#x27;s been stuck on SMS may wish to login and switch over to TOTP.

Same first 7 with only 17 possible expiration dates? That&#x27;s a recipe for disaster right from the start.

So NFC reading of embedded card details is always on, regardless of whether you are in &quot;payments&quot; mode or have the app open? Is that a PayPal flaw, or is it an Android&#x2F;NFC&#x2F;Google Payments flaw?

That&#x27;s what you get for ignoring flawed security reports.

I guess I&#x27;ll remove my linked cards and bank accounts for now. Not like I use it much anyway.

&gt; Both issues appear linked to the way Google Pay is set up on a PayPal user’s account.

Can we get a link with no paywall &#x2F; adblocker ?

#NOFREEBOUNTIES

PayPal is really bad with security. A friend of mine reported a CSRF attack that an attacker could withdraw all the money out of a vemmo account (was acquired by PayPal) if the victim visited the attackers website. It took them several weeks to fix, and friend didn&#x27;t receive any bug bounty.