I didn’t want to try something risky, but I noticed at least two suspicious things. By that I mean there could be some open opportunities for hacking:

1)  ”http://www.paypal.com/en/cgi-bin/webscr?cmd=_logout” – it you go to this url while logged in, your session is terminated.

Possible exploit: you can create a repeating (hidden) script (maybe on some webpage) – so that the user will believe he/she cannot login at all.

2) I am able to send money and create accounts for emails starting with “%”

Example “%john@testxcvdf.com” (You can check it for yourself – Password is “!QAZ2wsx”)

Possible exploit: the fact the char is not validated, might be considered a weak spot for hackers, by trying different alternatives.

Even if both issues are not exactly a problem, it shows that they didn’t do some type of needed testing.

(I am going to send this to their support)

Edit: Ok, I got a simple script as example for the logout issue

Steps:

1) Open this url http://www.testalways.com/exploits/1.html (reloads an iframe with the link)

2) In another tab/window of the same browser login into the Paypal account (you can create one just to test it – you don’t have to enter any private data)

Behavior:  User is disconnected quite fast without realizing what is going on

Conclusion: The value of a bug might depend on possible exploits.

This is an example of a behavior that is known, but maybe not much thinking was done in relation to security.

Another thing is the usage of same libraries for developing web applications. These bugs are identical to issues I found for a previous client.

Skype is a pretty used application and I also played a little bit with it.

Here are some of my findings/observations/bugs:

• Perlclip is a tool to generate input data. Using it with command “Counterstring 10 X” you get something like this: X3X5X7X10X as pasted in the clipboard. It is a string that shows how long it its (looking at the last number separated by “X”). I generated various inputs for Skype chat and here is what I found:

If I paste a word that is in length equal or greater than 30000 chars and press to send the message I see only “..” as the rest of the message.

The maximum paste-able length in a Skype chat is 32768 chars.

• After a couple of months (maybe 6 lets say) after I left my previous company, Solarwinds, I had been reactivated in the group chat even if no one re-added me. Also I was able to see some history. It appears that Skype keeps a lot in the backups and as history.
• In Skype chat when using “:)” that is a smile emoticon, its parsed differently if its immediately followed by a string or a space than another string. “ test” and “ test” is an example.
• It used to be a web page that now I am not able to find where the shortcuts for the emoticons were, except one that was not correct. Later I think it was fixed but now I cannot find the link.
• A problem that I cannot exactly determine is when I switch between Skype in Windows and Ubuntu and maybe something else, but the messages are sent later or received later and a lot of weird stuff is going on.

This type of issues appear with exploratory testing and new finding leads to other conclusions. In an organization some functions need to work, but testing this is done only on few contexts, things that should not happen should also be search for. There is parts that multiple people work only on some components and find something that is related to some other component.

Why was the string larger than 29999 not parsed? If I set “Test ” (with space) than the rest of the 30000 string I see that “Test ” is parsed though. It looks like strings separated by space are evaluated. Is Skype evaluating the words somehow like a key word used? This is an assumption and assumption usually should be avoided or used temporary to check this. But in this case is hard to check.