Page 3 - DevShed Members

Cybersaga: Respect for what you have said and putting it so well whether I agree with it or not. I notice that many of the others have chosen to read this and not reply. Well done to them and possibly not so for me for even trying to respond here again. I'm not trying to have the last word I promise.

The one thing I have to respond to is "looking for pats on the back". Sorry but I do.

I'm so so sorry you said this because not only is this what Dev Shedders do but I really don't think that is what Memnoch was looking for. I think, in fact I'm certain, Memnoch would have seen previous episodes of this and was merely stating a fact and letting us all know what had gone on. He was also probably just releasing some tension in the process too. Whatever the reasons Dev Shedders do this with each other and I don't see any wrong in Memnoch doing it here. I'm confident that if the reverse occurred then a post would be made at Dev Shed. In fact it was because that's how I spotted this thread here at ASP Free. QED.

Yourself and Sepodati have been big enough to come over here and admit there was a slight error and Memnoch even posted a detailed 'lack of security' message in response to someone pointing out his 'error'. Everyone has taken a bow down so to speak and I think that says it all. We all appear to want to get on and have fun whilst we learn\code and it seems that none of use really enjoy this anyway.

So, let's finish this and let's forget all about anything that has happened in the past and move on once and for all.

I know for sure that I will need help at some point and I may post at Dev Shed. I would hate to be ignored (I think I have been recently) and I would love to join in with the fun. I have been trying to. I hope I can do that from this point forward without anyone raking up past events and anyone still thinking that I am an a r s e hole.

Sepodati: Can we all forget this? Please?

A clean slate?

pfft... no. Mr. Memnoch and I are discussing things over PMs, anyhow. I'm waiting for him to hack my insecure site.

---John Holmes...

The whole problem must just be a difference in humour. For example, though that's pretty mean if taken seriously, I found it quite amusing, and still would if it was addressed to me.

Tone is very difficult to interpret in a written sentence.

This is why we have emoticons.

The only person who knows what Sepodati means is himself and the failure to use one in this instance really is quite dangerous. Don't you think?

What are you guys talking about?

Whatever part of your brain that thinks being able to change the price of a purchased item, and who would be paid, isn't a vulnerability...should be removed.

Anytime you can manipulate data like that, its a vulnerability, regardless, what you, in your infinite security wisdom, may think....

Feel free to pass along your wisdom to others, so that a "real" hacker can come along and do to someone, exactly what I explained in our PM's.

I just can't believe that anyone would think that being able to change the price of a purchased item, or being able to change who would receive payment for it, isn't a security risk.


BTW, I can change the values on your "insecure" site, but i'm not going to "Hack" it. I'm a Software Developer and Security Consultant, i'm not going to intentionally break the law, just to prove to you, what I'm saying is true.

I think Sep made a pretty irrefutable argument here.

If whoever you're buying from doesn't get the exact amount you were supposed to be charged, do you think they'll ship you the item? Probably not, and if they do, chances are they need to worry about the intelligence of their staff over anything to do with their website.

Being able to take control of someone else's money is a vulnerability. Being able to give your own money to someone else is not.

Hey, I'll agree that PayPal doesn't have the best design. Paying the wrong person the wrong amount of money isn't a vulnerability, imo, though. That's just being stupid. If a person is dumb enough to ship you an item for the wrong price, then they deserve to lose money, too.

Any method that assists someone in tricking another should be avoided, though, I agree. Until I learned about their "encrypted" buttons, though, I thought this was a necessary evil you choose to accept by using the free version of PayPal. In the future, maybe you could mention this alternative instead of just posting "your site can be hacked"...

Honestly, I think we're arguing the same point but just calling it something different, anyhow.
Good choice. I hope that you other readers don't crack my site and only pay me $1 for a product I know costs $100 or pays the wrong person (maybe yourself?) the wrong amount of money...

---John Holmes...

Obviously, neither of you understand the extent of the vulnerablity. It's not about paying the wrong person the wrong amount, it's about being 1 step away from gaining access to someone elses PayPal account. If you can gain access to their account, then you can transfer that money to another account. Hence the vulnerability.

I thought I explained it clearly in the 10-15 PM I had with Sepodati. It's not about paying the wrong amount to the wrong person, it's about being able to gain access to someone elses account and steal their money.

The "unencrypted" version of the Buy It Now button has the user's email address / paypal login embedded in the form. So Memnoch is arguing that you know half of the equation and you just have to brute-force attack the PayPal site to determine the user's password.


Why you mention changing the price or who it goes to, then, is unknown. The real issue you should be pointing out to users is that they are exposing their PayPal email address / login. (Assuming they keep their money in that account.)

I'd argue that it's probably trivial to track down someone's email address / PayPal login, anyhow, though...

Not really disagreeing with your points, just in the way you express them. Or don't express them, I should say. "Your site can be hacked"...

---John Holmes...

Everyone I've ever had any PayPal dealings with has my PayPal email. Some of them I don't trust anymore. I'm not worried.

There are unknown variables at play here.

1) We don't know if PayPal locks out accounts after a certain number of failed logins, if so, brute forcing it wouldn't work.

2) If they don't lock out accounts, then it's just a matter of time (maybe a long time) before you can gain access to the account.

3) Assuming you gain access to the account, we don't know if PayPal sends an active confirmation email, something where the user would recieve an email of a pending payment and then have to actively accept it by clicking a link or something.

Agreed, it may not be a huge vulernability depending on what's going on behind the scenes at PayPal, but it doesn't excuse the fact that manipulating the data is a vulnerability, however small it maybe.

4) Since we have the email address of the seller, a person could also attempt to gain access to your email account, if they could, then they could just do the "Forgot Password" on PayPal, to get it. It's amazing what can be accomplished with a single phone call.

I still don't see a big risk, but regardless, I think we can agree that this is a problem that PayPal themselves would have to deal with, not individual webmasters. If there is an alternative implementation, that's what you should be suggesting.

if something is proved to be not secured, people should simply avoid using it. why all the fuss around Windows and IE? because they're not secure.... that's the main reason ppl move to different, more secure, browsers.
thus, if this is "by design" behavior of PayPal, they should be informed and unless they fix it, people should be advised to look for alternative.

Last time I said "what a bunch of prima-donna posters there are in this thread" I was kind of including to sepodati. This time, it's not about sep, but some others (you know who you are).

Memnoch, if you decide to flame someone in the future why don't you do it to their face in the topic that raised your ire, rather than starting a useless thread in another site (aspfree in this case). Now we have a bunch of unneeded hostility here. If anyone should be apologizing, it's you for causing all this flak, not sep.

I've done my share of rabble-rousing, but I've never run to another site to do my complaining.

Pfui.