Simon Willison’s Weblog

Subscribe
Atom feed for paypal

4 items tagged “paypal”

2023

Shamir Secret Sharing (via) Cracking war story from Max Levchin about the early years of PayPal, in which he introduces an implementation of Shamir Secret Sharing to encrypt their master payment credential table... and then finds that the 3-of-8 passwords needed to decrypt it and bring the site back online don’t appear to work.

# 11th August 2023, 3:48 pm / encryption, ops, paypal

2008

Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped.

# 24th September 2008, 9:40 am / pdf, http, csrf, paypal, logincsrf, phishing, security, xrequestedby

PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work.

# 19th April 2008, 10:45 am / openid, paypal, security, phishing, evssl

2007

A typical phishing email will have a generic greeting, such as 'Dear User'. Note: All PayPal emails will greet you by your first and last name.

PayPal's Phishing Guide

# 22nd September 2007, 2:33 pm / doh, email, paypal, phishing, security