TinKode a.ka. Razvan Cernaianu has found a loophole in Paypal which allows anyone to double or triple their balance with Paypal. Paypal is one of the largest web money transfers/payments gateway and is owned by eBay.  Paypal allows users from over 193 countries to receive and send money without sharing any financial information.  Though its charges are exhorbitant, it is used by over 143 active users across the globe and processes 9 million transactions daily. 
PayPal vulnerability allows users to keep on doubling their PayPal balance again and again
TinKode discovered a loophole in PayPal which he says, allows its users to double the money in their account and that too endlessly. In layman terms it means that with only $50 in your PayPal account, you can make it to $100, then $100 to directly $200 and so on. 

TinKode found this loophole in the PayPal service that actually resides in its Chargeback Process which could be exploited to do fraud Paypal and double the money real time. Tinkode is a convicted former Romanian hacker, who was arrested in year 2012 for launching cyber attacks on NASA, Oracle, Pentagon, U.S. Army and many high profile websites.  In a indictment by US Court, he was penalised with US$120,000 fine.

He noticed the flaw while making a transaction using PayPal with a person back in 2010, who was trying to scam him with his money using the same chargeback process. To avoid paying charges, he transferred all his money from his temporary account to his original account. A month later however, when he checked his account, the balance shown was negative.

He then tried out the loophole on his Paypal account and could successfully double the amount he had. He alerted the Paypal security team and submitted the POC to them. The proof of concept explanation he detailed that by making three separate PayPal account with one real and other two verified using Virtual Credit Card (VCC) and Virtual Bank Account (VBA).

POC Scenario:
“So for example, you have 500$ on your account. You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, use the charge-back function from the first account (the real one) to get the money back, with the excuse that the phone did not arrive on time. PayPal will initiate a process where both sides bring evidence for their defense. Obviously you will only send evidence from the first account showing that you were scammed. At the end of the trial the money will be restored to the primary account and the second account will have a negative balance of -500$. This way, you doubled the initial amount of money because you still have 500$ in the third account. As the second account is only a virtual one, it will not have real money from which PayPal can extract. Therefore you are left with 500$ restored by PayPal, and 500$ in your third account.”

TinKode already reported the flaw to PayPal Security team for bug bounty and they admitted it as a flaw in their Terms of Service (ToS), but not as a web application vulnerability. “While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed.” PayPal replied.

Readers may note that attempting above flaw is against PayPal ToS and may result in a permanent ban of your account and email id and your loosing even the available balance with PayPal

3 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here