Mihai Grigori

Paypal is being widely used for payments and money transfer across many countries in the world.

It’s not the purpose of this article to illustrate what are its benefits, how many users it has, what is its worth and who started it (you can find this here). The purpose is to demonstrate that Paypal security has an extremely dangerous flaw. Sounds like a sensational fact meant to draw attention but it’s up to you to decide after you have read this article. It’s your money. Literally.

The main idea is – if you know someone’s Paypal registered email address and his phone number or address you can impersonate him and reset his password for the Paypal account. Many sites have this option but what many sites also have is an email validation for resetting the password. In other words the account security is completely tied to the security of the email account.

Paypal will reset the password after supplying the email address and phone number or postal address. It’s true – it will notify the account owner about this via email, but what happens if the account owner doesn’t read that email until too late?

So let’s assume that there are 1000 people who know your email address and your phone number or postal address.

Taking the possible (unwanted) scenario step by step:

1. click the ‘forgot password’ link on the Paypal login page (this step will only eliminate 0.002% (*) of the potential malicious users mentioned above)
2. fill in the email address and the captcha code (this should eliminate another 0.02 of the 1000 people mentioned earlier)
3. on the next page select ‘Phone number’ (then ‘Home number ending…’ if it’s not selected automatically) as the verification method (the number of those who can’t do this is really negligible)
4. enter the phone number and click ‘continue’ (0.002% won’t be able to pass over this)
5. on the next page enter the new password (0.002% will fail)
6. you are logged in !

So, this leaves you with almost ALL the people who know your email address and phone number or postal address, being able to reset your password for the account at Paypal.

(*) the numbers are approximated and set using the assumption that morons are trying too.

The other scenario (with using the postal address instead of the phone number is not hard to imagine if you read the one above.

Very important: This is NOT a how-to steal someone’s money tutorial! This issue is addressed only for making the users aware of the danger and take the appropriate measures.

There are definitely plenty of way to not let someone get away with this but why get into this trouble?

What you can do?

1. make sure you check your email that you have registered with Paypal as often as possible
2. make sure your postal address or phone number are not published (this one is not really an option in many occasions)

The other way, using the ‘Forgot your email address’ link, one can determine the email address of a user using his name, postal code, phone number and eventually the last 4 digits from a registered credit card.

Using the email address and the other details the malicious user can break into someone’s account by resetting his password.