By Unknown Lamer from Slashdot's get-your-60day-exploits department
About six weeks ago, a hole
in Paypal's two factor authentication and their mobile client was discovered. hypnosec (2231454)
wrote in with news of another trivial way to bypass Paypal's two-factor authentication
. A bug in a feature for eBay integration allows passing a GET parameter to completely bypass two-factor authentication, and you don't even need to be coming from eBay to use it. You still need the password, but additional protection is lost. From the article: eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account. ... When you are redirected to the login page, the URL contains "<tt>=_integrated-registration</tt>." ... Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login.
So, the actual bug itself is that the "<tt>=_integrated-registration</tt>" function does not check for a 2FA code, despite logging you into Paypal.
You could repeat the process using the same <tt>"=_integrated-registration</tt>" page unlimited times.Read Replies (0)
By Unknown Lamer from Slashdot's go-long department
Despite a failed attempt to have charges dismissed
, the alleged Silk Road operator Ross Ulbricht's lawyer has filed a new motion to have evidence dismissed, citing recent court rulings
in an argument that the Silk Road related searches were overly broad. From the article:
Dratel [Ulbricht's lawyer] argues in his 102-page motion filed last Friday that "the government conducted a series of 14 searches and seizures of various physical devices containing electronically stored information ('ESI'), and of ESI itself from Internet providers and other sources. Some of the ESI was obtained via search warrant, but other ESI was obtained via court order, and still other ESI was obtained without benefit of any warrant at all." ...
The defense lawyer argues that even the searches for which the government had a warrant were overbroad and based on evidence that may have been obtained illegally. The attorney writes: " As set forth ante, all of the searches and seizures conducted pursuant to warrants and/or orders were based on the initial ability of the government to locate the Silk Road Servers, obtain the ESI on them, and perform extensive forensic analysis of that ESI. Thus, all subsequent searches and seizures are invalid if that initial locating the Silk Road Servers, obtaining their ESI, and gaining real-time continued access to those servers, was accomplished unlawfully."Read Replies (0)
By Roblimo from Slashdot's not-everybody-loved-the-idea-of-putting-the-masses-online department
Back in the dawn of prehistory, only universities, government agencies, and a few big corporations could get on the Internet. The rest of us either had computers connected to nothing (except maybe an electric outlet), Compuserve, Prodigy, AOL or another service or possibly to an online bulletin board service (BBS). And then, one day in 1989, Barry Shein
hooked a server and some modems to an Internet node he managed for a corporate/academic wholesale Internet provider -- and started selling dialup accounts for $20 per month to individuals, small companies, and just about anyone else who came along. Barry called his ISP The World
, which is still out there with a retro home page
("Page last modified April 27, 2006"), still selling shell accounts. We may run a second interview with Barry next week, so please stay tuned. (<a>Alternate Video Link</a>)Read Replies (0)