PayPal takes 18 months to patch critical remote code execution hole

  • 21 November 2014
  • 7 replies
  • 1259 views

Userlevel 7
Badge +54

Dusty patch paid out

By Darren Pauli, 21 Nov 2014  Paypal has closed a remote code execution vulnerability in its service some 18 months after it was reported.
The flaws reported earlier this month rated critical by Vulnerability Lab affected a core Paypal profile application.
 "A system specific arbitrary code execution vulnerability has been discovered in the official in the official PayPal Inc Web-Application and API," founder and researcher Benjamin Kunz Mejr wrote in a disclosure.
 
Full Article and Video

7 replies

Userlevel 7
Yeah...not good.  I am stuck using PayPal for some things, and overall I rather like it, but I do not like knowing about this.  I do check the account daily, and I would suggest everyone else does too and continue to do so 🙂 Really that goes for any and all internet bank accounts.
Userlevel 7
@ wrote:
Yeah...not good.  I am stuck using PayPal for some things, and overall I rather like it, but I do not like knowing about this.  I do check the account daily, and I would suggest everyone else does too and continue to do so 🙂 Really that goes for any and all internet bank accounts.
I agree David, check all money accounts daily. I maybe paranoid about my money accounts because I check them all first thing in the morning, sometimes in the afternoon and always before retiring for bed at night. Another thing I do is get new credit card numbers on all the credit cards in use recently. (if I didn't use the credit card on anything I'll keep the same number).  This is done at least once every 2 years, sometimes sooner if the card was frequently used. I call the bank and tell them I think my credit card has been compromised to send me a new card. (I told them a little fib, eh) If your bank is set up for alerts when you use a certain amount on your credit card, use it. I have alerts set on all my credit cards for $1.00 US. Usually when someone gets your credit card number they will take out a small amount first to see if the card is good, then they will take out the big one $$$. :S
Yes, I micromanage all my money accounts. :D
Userlevel 7
Well done Dave!  If everyone managed accounts like that, there would be little sense in cybercrime....  One thing to what you said that I can add to: for those systems like PayPal that are capable of ending an email for every transaction, USE that feature.   🙂
Userlevel 7
I am not a fan of Paypal because they act like a Bank but are not regulated by anybody. So they can do with they like with your money and you have no comeback. I have heard of horror stories about people having money frozen form months and they have nobody to go to. Banks have regulators and other agencies you can go to if you have problems. Paypal...no dice.
Userlevel 7
I agree @ . I do have a PayPal account, but it's through my American Express Credit card. PayPal keeps sending me emails stating that my account is only 90% complete. They want me to give them my Banking Account Number to be 100% complete. No,no,no,no,no. They will not get that number. Once someone gets that number to savings or checking, they can clean house with your account. It's a lot easier to change a credit card number than a saving / checking account number. As I stated in the previous post, I change my credit card numbers frequently. The card number I gave PayPal has been changed. 😉
Userlevel 7
Again, if everyone was as savvy at using online accounts and PayPal Dave, there would be no sense in Cybercrime.  The very first $1.00 transaction they tried would be almost instantly flagged and the account shut down.
 
Oh.. I do the same on my PayPal by the way... 90% complete. 
Userlevel 7
Badge +54
That is brilliant Dave, I agree with David that if everyone went to those lengths cybercrime would vanish.

Reply