How Do I Security
-
Security is hard.
Just ask PayPal, where there's a long-running history of MFA vulnerabilities. This one found and patched this month just might take the cake though.
"The
customerclient is always right" does not apply to security, thank you very much.
-
Jesus Christ, how do you even get that wrong? I would think at minimum the request parser would choke on its own vomit when the response values were NULL.
Also, 13 business days from "we're working on it" to an actual fix? For what should be a simple null-check? Am I missing something here?
-
@pydsigner said in How Do I Security:
Security is hard.
Just ask PayPal, where there's a long-running history of MFA vulnerabilities. This one found and patched this month just might take the cake though.
"The
customerclient is always right" does not apply to security, thank you very much.That's amazing. Apparently they started out accepting the input and then denied it if the security questions provided the wrong answers - but not if they provided no answers. Brillant! No answer is not the same as the right answer.
-
@Fox Why not? They didn't provide any wrong answers, so there's literally nothing wrong... right?
-
How the fuck does code like that not get reviewed 15 times before being put on production?
Or alternatively, how the fuck does code like that pass even a single review?
-
-
@anonymous234 said in How Do I Security:
Or alternatively, how the fuck does code like that pass even a single review?
This is basically what I said after someone shared the link with me.
-
@El_Heffe said in How Do I Security:
Reviews are for suckers
Sincerely,
Paypal CEOThey outsourced it to Samsung's non-Korean reviewers.
-
That's - ummm - really quite something, isn't it?
-
@pydsigner said in How Do I Security:
They outsourced it to Samsung's non-Korean reviewers.
Needs more
cowbellspreadsheet!
-
@bugmenot said in How Do I Security:
Also, 13 business days from "we're working on it" to an actual fix? For what should be a simple null-check? Am I missing something here?
I've bolded the assumption that I find amusing. You need to show some imagination to realize that their code is probably so much more convoluted than anything a simple null check could fix. Probably inner platforms and no one around to hand the complicator some gloves.
But yeah...trusting the client.
-
@bugmenot said in How Do I Security:
13 business days from "we're working on it" to an actual fix
This time they probably tested it very carefully.
-
@Adynathos said in How Do I Security:
@bugmenot said in How Do I Security:
13 business days from "we're working on it" to an actual fix
This time they probably tested it very carefully.
Third time's the charm, amirite?
-
You don't even need to wear complicator's gloves; there are elegant ways like 'skip answer if missing to debug faster or show to C*O' and 'if answer is correct, set $securityQuestion0 to 0 for success' that are entirely plausible. Hell, even comparing null to security answer should actually fail(except if user hasn't set security question )
@boomzilla said in How Do I Security:
But yeah...trusting the client.
Well it's you that programmed the webpage, if client tries to forge you just frequently update the request content to the correct value. If feeling extra paranoid, add tamper detection to the correct value, halt and require reload if console is opened and you're clear for prod
-
@bugmenot said in How Do I Security:
Well it's you that programmed the webpage, if client tries to forge you just frequently update the request content to the correct value. If feeling extra paranoid, add tamper detection to the correct value, halt and require reload if console is opened and you're clear for prod
Um. No. Absolutely not.
- Why try to catch forgery in the browser when you can do it on your own terms on the server?
- Read the article. The POC wasn't done in the browser! He ran a proxy between the client and PayPal that stripped the security questions out.
-
@pydsigner I think you
-
@masonwheeler said in How Do I Security:
@Fox Why not? They didn't provide any wrong answers, so there's literally nothing wrong... right?
I read once about a voicemail system that would only listen for correct PIN digits, but would ignore incorrect PIN digits. (DTMF)
So, for a four digit PIN, 0123456789012345678901234567890123456789 would get you into anyone's voicemail.
-
@Jaloopa said in How Do I Security:
@pydsigner I think you
But people actually believe that sort of stuff, and he's new :(
-
@error said in How Do I Security:
@masonwheeler said in How Do I Security:
@Fox Why not? They didn't provide any wrong answers, so there's literally nothing wrong... right?
I read once about a voicemail system that would only listen for correct PIN digits, but would ignore incorrect PIN digits. (DTMF)
So, for a four digit PIN, 0123456789012345678901234567890123456789 would get you into anyone's voicemail.
-
@pydsigner said in How Do I Security:
Paypal 2FA Bypass
Can't close my Paypal account as I still need it to test client things sometimes, but I'm feeling pretty good about my decision to remove all bank/credit card information a few months ago.
-
@aapis said in How Do I Security:
@pydsigner said in How Do I Security:
Paypal 2FA Bypass
Can't close my Paypal account as I still need it to test client things sometimes, but I'm feeling pretty good about my decision to remove all bank/credit card information a few months ago.
You have more confidence than I that they purge such data from their database.
-
@aapis said in How Do I Security:
@pydsigner said in How Do I Security:
Paypal 2FA Bypass
Can't close my Paypal account as I still need it to test client things sometimes, but I'm feeling pretty good about my decision to remove all bank/credit card information a few months ago.
So does anyone know the financial aspect of it well enough to tell us whether they keep a record of payment methods anywhere (audit history or such), and if so, how long?
In other words, if you're required to use PayPal to pay for something, is it better to have an account or to use it as a guest?
-
@pydsigner said in How Do I Security:
@error said in How Do I Security:
@masonwheeler said in How Do I Security:
@Fox Why not? They didn't provide any wrong answers, so there's literally nothing wrong... right?
I read once about a voicemail system that would only listen for correct PIN digits, but would ignore incorrect PIN digits. (DTMF)
So, for a four digit PIN, 0123456789012345678901234567890123456789 would get you into anyone's voicemail.
Somebody once discovered that many of the top executives at our company had never bothered to change the default password on their voicemail. Much hilarity ensued.
-
-
@El_Heffe said in How Do I Security:
@pydsigner said in How Do I Security:
@error said in How Do I Security:
@masonwheeler said in How Do I Security:
@Fox Why not? They didn't provide any wrong answers, so there's literally nothing wrong... right?
I read once about a voicemail system that would only listen for correct PIN digits, but would ignore incorrect PIN digits. (DTMF)
So, for a four digit PIN, 0123456789012345678901234567890123456789 would get you into anyone's voicemail.
Somebody once discovered that many of the top executives at our company had never bothered to change the default password on their voicemail. Much hilarity ensued.
Last place I worked at your telephone login was your extension and the password was
12345
. Well, unless you were a peon, those guys had to have a personal password because it was tied to the timecard system somehow. But I could quite easily log into any manager's phone (which would kick the one on their desk off, hilarity ensues) and make calls in their number.'course, doesn't make a difference unless someone actually knew that telephone and who was expected to call from it, but it was an interesting tidbit of knowledge to possess.
-
And my boss always say "You shouldn't always think that the users will meddle with your request strings. Stop wasting your time of figuring out how to validate it against user meddling".
-
-
@pydsigner Is there any report on why PayPal would even allow to downgrade 2FA to wish-it-were-2?
Because that sounds like just the same kind of
-
@JBert said in How Do I Security:
@pydsigner Is there any report on why PayPal would even allow to downgrade 2FA to wish-it-were-2?
Because that sounds like just the same kind of
Well, think about the cases where you phone/2FA token device is lost/stolen/reset by someone when taken to repair, there has to be some way to unbind the process so you won't stuck in the middle when you need it.
My current issuer of credit card will always call me for verification if there are abnormal transaction found (like an abnormally big amount one even if everything else looks okay) and will withhold the transaction until they can reach me and accepted confirmation from me. If your Paypal account is backed by credit card issuer that does this, I think downgrading from 3FA to 2FA is somewhat acceptable.
-
@djls45 said in How Do I Security:
So does anyone know the financial aspect of it well enough to tell us whether they keep a record of payment methods anywhere (audit history or such), and if so, how long?
ISTR trying to use paypal as a guest, at a time (well, one of the many times, in fact) where they had, for , blocked my account., and not being able to because something about the payment I was trying to make had, at one point, been linked to my account (but no longer was). I forget, however, exactly what it was that was linked, but I'm fairly certain it was my card.
I have no idea how long they keep stuff linked, though, and whether they are even liable for proper auditing; they behave a lot like a bank, but they don't appear to be covered by any of the banking regulations.
-
@tufty said in How Do I Security:
they behave a lot like a bank
Terrible security, poor user service? Yes, they do behave a lot like a bank.
-
Every tried leaving Paypal? Apparently, you just can't.
I have an current issue with them where they've demanded all sorts of ID from me (after eight years of dealing happily with me), which has eventually led to my inviting them to get stuffed. But apparently no, my account simply cannot be closed down.
I ended up sending them a data protection notice that they no longer had any right to process my personal data, which I thought would do the job. Nope! They just, in typical PayPal fashion, ignored me and pretend I don't exist...
-
@mjmilan1 They are legally required to keep your personal information for a few years, so it doesn't make much difference.
(AFAIK, they are still required to delete your account upon request despite that, so your point is not completely invalid.)
-
@mjmilan1 Time to elevate to a formal complaint. Exact route will depend on which country you're in, but the end point (assuming you're EU-based) is repeated large fines for them until they comply with your request to have your data removed. Which is the sort of thing that they won't ignore.
-
What!? No! HOW PAYPAL!? HOW!??
-
-
@El_Heffe said in How Do I Security:
@pydsigner said in How Do I Security:
@error said in How Do I Security:
@masonwheeler said in How Do I Security:
@Fox Why not? They didn't provide any wrong answers, so there's literally nothing wrong... right?
I read once about a voicemail system that would only listen for correct PIN digits, but would ignore incorrect PIN digits. (DTMF)
So, for a four digit PIN, 0123456789012345678901234567890123456789 would get you into anyone's voicemail.
Somebody once discovered that many of the top executives at our company had never bothered to change the default password on their voicemail. Much hilarity ensued.
Was it
12345
?
-
@Rhywden said in How Do I Security:
Was it
12345
?That reminds me, I need to change the combination on my luggage…
-
@Rhywden said in How Do I Security:
@El_Heffe said in How Do I Security:
Somebody once discovered that many of the top executives at our company had never bothered to change the default password on their voicemail. Much hilarity ensued.
Was it
12345
?I think it was 1234.
-
@cheong said in How Do I Security:
@JBert said in How Do I Security:
@pydsigner Is there any report on why PayPal would even allow to downgrade 2FA to wish-it-were-2?
Because that sounds like just the same kind of
Well, think about the cases where you phone/2FA token device is lost/stolen/reset by someone when taken to repair, there has to be some way to unbind the process so you won't stuck in the middle when you need it.
My current issuer of credit card will always call me for verification if there are abnormal transaction found (like an abnormally big amount one even if everything else looks okay) and will withhold the transaction until they can reach me and accepted confirmation from me. If your Paypal account is backed by credit card issuer that does this, I think downgrading from 3FA to 2FA is somewhat acceptable.
Whar if your credit card company can't reach you?
Anyway, the whole point of 2FA is to make transactions fail when one the factors is missing, otherwise hackers can substitute one at will.
Cases where one of your authentication methods is compromised should always inconvenience both the genuine owner of the account as well as the attacker, e.g. by blocking the card and having to wait for snail mail to reach the owner (though the less intrusive way would be to send an email). Therefore it should be exceptional rather than baked into their normal flow.
-
@cheong said in How Do I Security:
My current issuer of credit card will always call me for verification if there are abnormal transaction found
I wish my bank would do that. I recently purchased a large number of MP3s on Google Play Music. Since there is no cart functionality in the shop, that means loads of small transactions. I had to call the credit card hotline myself the next day to unlock my card, and they told me they are unable to whitelist anything for me, so I'd have to stop doing that.
Awesome service. Not.
-
@asdf said in How Do I Security:
@cheong said in How Do I Security:
My current issuer of credit card will always call me for verification if there are abnormal transaction found
I wish my bank would do that. I recently purchased a large number of MP3s on Google Play Music. Since there is no cart functionality in the shop, that means loads of small transactions. I had to call the credit card hotline myself the next day to unlock my card, and they told me they are unable to whitelist anything for me, so I'd have to stop doing that.
Awesome service. Not.
My bank calls me the next day any time there's a hold.
-
@error That's not my problem, though. If information I deleted ever resurfaces, it's their fault and they will pay for that.
-
@aapis said in How Do I Security:
@error That's not my problem, though. If information I deleted ever resurfaces, it's their fault and they will pay for that.
It's their fault...
THIS SUMMER
...and they will pay for that!
-
@error said in How Do I Security:
@aapis said in How Do I Security:
@error That's not my problem, though. If information I deleted ever resurfaces, it's their fault and they will pay for that.
It's their fault...
THIS SUMMER
...and they will pay for that!
When did this thread get back to US politics?
-
@JBert said in How Do I Security:
Whar if your credit card company can't reach you?
The transaction will be hold until they can reach me. I don't know what happens if the transaction is voided because they can't reach me (transaction is voided if the bank/card issuer cannot clear and settle the transaction within 30 days), but I imagine it should be roughly the same as what happens when I phone the credit card center to withhold that transaction... maybe a handling fee will be charged. Still way better than allowing a doubtful transaction to sneak through.
-
@asdf said in How Do I Security:
I wish my bank would do that. I recently purchased a large number of MP3s on Google Play Music. Since there is no cart functionality in the shop, that means loads of small transactions.
Get yourself a gift card? Or use Google Opinions to earn a bit of credit. I've got about £20 that I really should get round to spending