Feeds

Man banished from PayPal for showing how to hack PayPal

Some hacking tools more equal than others

High performance access to file storage

PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

"Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law," company representatives wrote in an email sent to the hacker, Moxie Marlinspike. "Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience."

The email, sent from an unmonitored PayPal address, makes no mention of the item that violates the PayPal policy. The suspension effectively freezes more than $500 in the account until Marlinspike submits a signed affidavit swearing he has removed the PayPal logos from his site.

Since 2002, Marlinspike has included a yellow donate button on the download page for a hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the button. But it was only after someone published counterfeit SSL certificate on Monday that PayPal took action against the account.

"This is not something I had anything to do with, and they responded by suspending my account," Marlinspike told The Reg. "I've been the one trying to warn them of this in the first place."

The account suspension is troubling because it penalizes an independent security researcher whose discoveries have already yielded important insights into secure sockets layer, one of the web's oldest and most relied upon measures for preventing man-in-the-middle attacks. It's the latest action to demonize hacker tools that can be used by security professionals for good because they can also be used by criminals for bad.

It also flies in the face of the tacit approval of PayPal and its parent company, eBay, give to groups distributing dozens of other hacking tools. No doubt, the Wireshark packet sniffer is used regularly to reveal the passwords of unsuspecting victims, and yet its purveyors accept payments by PayPal. The same goes for the Cain & Abel and l0phtcrack password recovery tools and Remote-Exploit.org, a group whose tag line reads: "Supplying offensive security products to the world."

A PayPal spokeswoman said the company's privacy policy prevented her from discussing Marlinspike's case. But in general, she said hacking tools are allowed in certain cases, such as when they can be used to legitimately help administrators assess the strength of user passwords.

"We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."

She said PayPal relies on a dedicated team with "extensive experience in information security, law enforcement, financial services and risk" to make such decisions. She didn't explain how they determined programs such as Wireshark and Cain & Abel have legitimate uses and the tools offered by Marlinspike do not. She also didn't explain why Marlinspike's banishment came less than 24 hours after the release of the bogus PayPal certificate.

According to a note included with the certificate's release, Marlinspike distributed it during a training session at the Black Hat security conference in July. The hacker confirms he offered a class to penetration testers that taught them everything they'd need to test and carry out attacks on SSL certificates, and as part of that, he included a proof-of-concept certificate. But he never distributed the certificate and each student signed an agreement stating the material was for evaluation purposes and was not be be publicly released, he said.

And in any event, he never used PayPal to accept payment for the class. What's more, the only items being distributed on the PayPal-adorned pages are SSLStrip and SSLSniff. Bogus certificates were never available anywhere on the site, he said.

So if you're a hacker who relies on PayPal, the not-so-subtle message is to make sure your projects steer clear of your online payment processor. It doesn't matter that you speak at the same conferences attended by the rest of the security world. As PayPal well knows, hacker tools can be used for good or for bad, and the company has the sole discretion to choose which is which. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.