PayPal Deposit major vulnerability, 1 0 seconds no need to verify stolen brush Bank card within the amount-vulnerability warning-the black bar safety net

2016-05-16T00:00:00
ID MYHACK58:62201674848
Type myhack58
Reporter 佚名
Modified 2016-05-16T00:00:00

Description

! Usually online often see Alipay stolen brush cases, but from their very far, did not expect this thing but in this day are happening in my body. The genuineness, without warning. Only 1 0 seconds, I did not receive any input the verification code or Payment password in the process, the Bank card was stolen two thousand dollars. On weekdays, the daughter-in-law is due with a child of reason, can not work in home run a Online shop. The Main to do is to give some users write articles, because today she temporary have something, I'm at work after it get daughter-in-law hanging on the QQ, and thousands of cattle. But generally the weekend is also not someone to consult, this morning's catch the clever, just to have a name of the user in the 9: 1 or so with my daughter-in-law business QQ contact, say you want to buy our products, want to PayPal payment. I put my PayPal account to his, but with the ordinary customer is different, this Customer wanted to use the scan Code of the methods of payment. And tell me how to open the payment code. As usual to a friend transfer, I also used the payment code way to a friend transfer. So I open the Alipay wallet, the payment code screenshots sent to him. So I no more want to put the payment code issued to him, but he let me re-send it again, because the screenshots a lot of trouble, I don't want to over and over again sent him, so they put my PayPal account to his, and tell he needs to buy a product while direct transfers. Or Taobao shop to shoot on the line. The result is that a very ordinary transaction process, and terrible things happened. Sent him the payment code after I receive the PayPal expenditure 2 0 0 $ 0 reminder. In this process I have not conducted any operations, including input Alipay payment password, enter the code, confirm the transaction amount, and so on. Any operations are not, and my Bank card on the 2 0 0, 0 $ is the brush to go. I realized the seriousness of the problem and immediately give PayPal a call, but get back is:“this is a normal transaction, because of my negligence, is brush away the money, PayPal customer service let me with the local police contact.” At that time my brain a blank, also did not think, went to the vicinity of the Public Security Bureau reported the case. But the police also feel this thing very strange, why the original is each other to give me payment of a process, but I have stolen brush 2 0 0 0 $ money. At the scene, the police in accordance with my said process, open the payment code interface to let me scan, I through Alipay wallet scan his payment code, appears only to each other transfer of the interface, and no beneficiary of the function. The description, if it is a normal process while I give the other party the payment code should be to each other as my payment process. Rather than the other can brush away my money. So I went to PayPal customer service a call, their reply is the payment code above with a QR code, This is the business to sweep the two-dimensional code, merchants scan code can be directly brush away the Bank card inside the money, and does not require user authentication. My question is:“since it is a payment process, at a minimum the user should be able to see the amount of the payment, and agree to the payment, have a payment confirmation process.” But and no, and Yes, someone can scan your QR code and enter any amount, and does not need to pass your authentication information, you can brush away any amount. Then, I'm at PayPal the security sector description of the problem, they said me record, but has been evading their own responsibility, that I was deceived, and not their problem. I'm in the Public Security Bureau for the record after leaving the Public Security Bureau. Now PayPal did not again contact me, that is a 7 after 2 hours with my contact, so I waited for the results. A US-listed company, a country using the highest rate of third-party payment platform, there is this big loophole, but it does not recognize, and want the user to pay, I was incredibly chilling. With this vulnerability, as long as the other party is a merchant, access to your payment code, you can in ten seconds stolen brush your Bank card of any amount. The following is the relevant screenshot: 1, to chat with each other, he asked me how I deal, and let me send PayPal QR code to him

!

!

!

!

!

!

!

! 8, I scan the colleagues of the payment code appears interface, the only transfer function, and may be stolen brush 9, the other side of the QQ information

!