I didn’t want to try something risky, but I noticed at least two suspicious things. By that I mean there could be some open opportunities for hacking:
1) ”http://www.paypal.com/en/cgi-bin/webscr?cmd=_logout” – it you go to this url while logged in, your session is terminated.
Possible exploit: you can create a repeating (hidden) script (maybe on some webpage) – so that the user will believe he/she cannot login at all.
2) I am able to send money and create accounts for emails starting with “%”
Example “%firstname.lastname@example.org” (You can check it for yourself – Password is “!QAZ2wsx”)
Possible exploit: the fact the char is not validated, might be considered a weak spot for hackers, by trying different alternatives.
Even if both issues are not exactly a problem, it shows that they didn’t do some type of needed testing.
(I am going to send this to their support)
Edit: Ok, I got a simple script as example for the logout issue
1) Open this url http://www.testalways.com/exploits/1.html (reloads an iframe with the link)
2) In another tab/window of the same browser login into the Paypal account (you can create one just to test it – you don’t have to enter any private data)
Behavior: User is disconnected quite fast without realizing what is going on
Conclusion: The value of a bug might depend on possible exploits.
This is an example of a behavior that is known, but maybe not much thinking was done in relation to security.
Another thing is the usage of same libraries for developing web applications. These bugs are identical to issues I found for a previous client.
Skype is a pretty used application and I also played a little bit with it.
Here are some of my findings/observations/bugs:
- If I paste a word that is in length equal or greater than 30000 chars and press to send the message I see only “..” as the rest of the message.
- The maximum paste-able length in a Skype chat is 32768 chars.
This type of issues appear with exploratory testing and new finding leads to other conclusions. In an organization some functions need to work, but testing this is done only on few contexts, things that should not happen should also be search for. There is parts that multiple people work only on some components and find something that is related to some other component.
Why was the string larger than 29999 not parsed? If I set “Test ” (with space) than the rest of the 30000 string I see that “Test ” is parsed though. It looks like strings separated by space are evaluated. Is Skype evaluating the words somehow like a key word used? This is an assumption and assumption usually should be avoided or used temporary to check this. But in this case is hard to check.