The PayPal 0-day Exploit and Leak That Wasn’t

Late yesterday, Anonymous announced that PayPal had been hacked during a series of attacks against it and other organizations in celebration of Guy Fawkes Day (November 5th). I tried to access the alleged dump file an hour later, but it was unavailable. Media began reporting PayPal was exploited by a 0-day, but provided no additional detail.

I’m always skeptical of alleged leaks until I have an opportunity to review the leak data, the affected organization confirms the leak, there’s strong evidence the leak occurred, or someone I trust confirms a leak. The head of PR at PayPal said there was no evidence to validate the claim and that PayPal was investigating, but that’s common so soon after an alleged publicized incident. I asked the Twitterverse if the leak was legit, and got some interesting public and private feedback (primarily shared skepticism), but no confirmation of the leak.

After being pointed towards Darren Pauli’s November 1st article about security researcher Neil Smith’s interaction with PayPal about his disclosure of security vulnerabilities and discovery of the exposure of confidential customer data, I gave more credence to the report of the alleged leak, but was still skeptical. Then I was pointed to a post on BlackHatWorld, which stated:

“They do all just look like a dump of transaction records from any company…
It’s fake… Look at this table ../4e5ff957d5
Why would PayPal store AllPay information? lool

AllPay provides bill payment collection, prepaid card, card production, legal, and print / design services (two of these are not like the others!). Perhaps the 27,935 customer records which were leaked belong to (wait for it…wait for it!) AllPay. Then again, perhaps not. It’s unlikely since they’re [cough, cough]:

Fully compliant with the Payment Card Industry Data Security Standard (PCI DSS)

Today, @PayPal stated:

Please know @paypal was not attacked by #Anonymous original story has been corrected http://bit.ly/SmB7bG

PayPal was not attacked by Anonymous? Perhaps their data wasn’t the data that was allegedly leaked, but I assure you they’ve been *attacked* by members of Anonymous. If I was responsible for PR at PayPal, I wouldn’t have worded it that way. And what of the PayPal 0-day? It turns out that the PayPal 0-day referred to may really have been a ZPanel hosting control panel 0-day, which was incorrectly described as PayPal by Cyber War News. And the dump file? Hack the Planet (HTP) has claiming responsibility and says that it’s not affiliated with Anonymous.

Yet Anonymous continues to report that they hacked PayPal. Maybe there’s more to the story. I’ll sit back and wait for the media to report it. Until then I’ll remain a skeptic. And I won’t count on the media to get the facts right…at least right away. ;-)

You can leave a response, or trackback from your own site.

Leave a Reply

Follow me on Twitter!Follow me on Twitter! Subscribe to RSS Feed Follow me on Twitter!