I didn’t want to try something risky, but I noticed at least two suspicious things. By that I mean there could be some open opportunities for hacking:

1)  ”http://www.paypal.com/en/cgi-bin/webscr?cmd=_logout” – it you go to this url while logged in, your session is terminated.

Possible exploit: you can create a repeating (hidden) script (maybe on some webpage) – so that the user will believe he/she cannot login at all.

2) I am able to send money and create accounts for emails starting with “%”

Example “%john@testxcvdf.com” (You can check it for yourself – Password is “!QAZ2wsx”)

Possible exploit: the fact the char is not validated, might be considered a weak spot for hackers, by trying different alternatives.

Even if both issues are not exactly a problem, it shows that they didn’t do some type of needed testing.

(I am going to send this to their support)

Edit: Ok, I got a simple script as example for the logout issue

Steps:

1) Open this url http://www.testalways.com/exploits/1.html (reloads an iframe with the link)

2) In another tab/window of the same browser login into the Paypal account (you can create one just to test it – you don’t have to enter any private data)

Behavior:  User is disconnected quite fast without realizing what is going on

Conclusion: The value of a bug might depend on possible exploits.

This is an example of a behavior that is known, but maybe not much thinking was done in relation to security.

Another thing is the usage of same libraries for developing web applications. These bugs are identical to issues I found for a previous client.

ShareThis