LoopHole in PayPal Allows Anyone to Double PayPal Money

Paypal loop holes, Paypal double your money, Paypal money exchanges, Paypal payments, Paypal money, Paypal fraud, Paypal security issue

Admin

June 13, 2014

Payal hacking, Paypal vulnerability, Paypal bug bounty, Paypal security, Paypal exploited

Almost everyone uses Paypal for online transaction, mostly online shopping, transferring funds..etc. And of them have Paypal but didn't have balance on their account. What if your money gets double, triple or increase so on and that also in just a couple of hours...? Yeah.. Its not a joke.! A loop hole in the payment service of the Paypal allows its users to double the money in their account.

A Romanian hacker TinKode a.k.a Razvan Cernaianu, have claimed to addressed a loophole in the PayPal service that actually resides in its Chargeback Process which could be exploited to do fraud with PayPal.

“A Chargeback, also known as a reversal, occurs when a buyer asks a credit card company to reverse a transaction that has already cleared” and this could be done when the buyer's credit card number is stolen and used fraudulently or if seller tries to fraud.

He noted -

Back in year 2010, he was doing apayment via Paypal to a person who had tried to scam his money using chargeback funtion (of paypal). To avoid paying charges, he transfer all his money from his temporary account to his another, real PayPal account. But, when he checked after a month, he noticed that his account balance was negative i.e. $-50.

He had reported the vulnerability to the Paypal team for bug bounty, and to demonstrate the vulnerability he detailed that by making three separate PayPal account with one real and other two verified using Virtual Credit Card (VCC) and Virtual Bank Account (VBA).

Demonstration Scenario

“So for example, you have 500$ on your account. You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, use the charge-back function from the first account (the real one) to get the money back, with the excuse that the phone did not arrive on time. PayPal will initiate a process where both sides bring evidence for their defense. Obviously you will only send evidence from the first account showing that you were scammed. At the end of the trial the money will be restored to the primary account and the second account will have a negative balance of -500$. This way, you doubled the initial amount of money because you still have 500$ in the third account. As the second account is only a virtual one, it will not have real money from which PayPal can extract. Therefore you are left with 500$ restored by PayPal, and 500$ in your third account.”

With the following demonstration scenario, he had got the following reply message from Paypal Security team-

Thank you for your patience while we completed our investigation. After reviewing
your submission we have determined this is not a Bug Bounty issue, but one of our
Protection Policy. While the abuse described here is possible in our system,
repeated abusive behavior by the same and/or linked account(s) is addressed. Thank
you for your participation in our program.