Feeds

Man banished from PayPal for showing how to hack PayPal

Some hacking tools more equal than others

Internet Security Threat Report 2014

PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

"Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law," company representatives wrote in an email sent to the hacker, Moxie Marlinspike. "Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience."

The email, sent from an unmonitored PayPal address, makes no mention of the item that violates the PayPal policy. The suspension effectively freezes more than $500 in the account until Marlinspike submits a signed affidavit swearing he has removed the PayPal logos from his site.

Since 2002, Marlinspike has included a yellow donate button on the download page for a hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the button. But it was only after someone published counterfeit SSL certificate on Monday that PayPal took action against the account.

"This is not something I had anything to do with, and they responded by suspending my account," Marlinspike told The Reg. "I've been the one trying to warn them of this in the first place."

The account suspension is troubling because it penalizes an independent security researcher whose discoveries have already yielded important insights into secure sockets layer, one of the web's oldest and most relied upon measures for preventing man-in-the-middle attacks. It's the latest action to demonize hacker tools that can be used by security professionals for good because they can also be used by criminals for bad.

It also flies in the face of the tacit approval of PayPal and its parent company, eBay, give to groups distributing dozens of other hacking tools. No doubt, the Wireshark packet sniffer is used regularly to reveal the passwords of unsuspecting victims, and yet its purveyors accept payments by PayPal. The same goes for the Cain & Abel and l0phtcrack password recovery tools and Remote-Exploit.org, a group whose tag line reads: "Supplying offensive security products to the world."

A PayPal spokeswoman said the company's privacy policy prevented her from discussing Marlinspike's case. But in general, she said hacking tools are allowed in certain cases, such as when they can be used to legitimately help administrators assess the strength of user passwords.

"We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."

She said PayPal relies on a dedicated team with "extensive experience in information security, law enforcement, financial services and risk" to make such decisions. She didn't explain how they determined programs such as Wireshark and Cain & Abel have legitimate uses and the tools offered by Marlinspike do not. She also didn't explain why Marlinspike's banishment came less than 24 hours after the release of the bogus PayPal certificate.

According to a note included with the certificate's release, Marlinspike distributed it during a training session at the Black Hat security conference in July. The hacker confirms he offered a class to penetration testers that taught them everything they'd need to test and carry out attacks on SSL certificates, and as part of that, he included a proof-of-concept certificate. But he never distributed the certificate and each student signed an agreement stating the material was for evaluation purposes and was not be be publicly released, he said.

And in any event, he never used PayPal to accept payment for the class. What's more, the only items being distributed on the PayPal-adorned pages are SSLStrip and SSLSniff. Bogus certificates were never available anywhere on the site, he said.

So if you're a hacker who relies on PayPal, the not-so-subtle message is to make sure your projects steer clear of your online payment processor. It doesn't matter that you speak at the same conferences attended by the rest of the security world. As PayPal well knows, hacker tools can be used for good or for bad, and the company has the sole discretion to choose which is which. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.