Don't Hack PayPal!!!

October 2009

Man banished from PayPal for showing how to hack PayPal. PayPal suspended the account of a white-hat hacker on October 6, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor. “Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law,” company representatives wrote in an email sent to the white-hat hacker. “Please understand that this is a security measure meant to help protect you and your account.” The email, sent from an unmonitored PayPal address, makes no mention of the item that violates the PayPal policy. The suspension effectively freezes more than $500 in the account until the white-hat hacker submits a signed affidavit swearing he has removed the PayPal logos from his site. Since 2002, the white-hat hacker has included a yellow donate button on the download page for a hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the button. But it was only after someone published counterfeit SSL certificate on October 5 that PayPal took action against the account. “This is not something I had anything to do with, and they responded by suspending my account,” the white-hat hacker told The Register. “I’ve been the one trying to warn them of this in the first place.” The account suspension is troubling because it penalizes an independent security researcher whose discoveries have already yielded important insights into secure sockets layer, one of the web’s oldest and most relied upon measures for preventing man-in-the-middle attacks.