Jump to content


Photo

donation buttons & virusses harvesting IE webcache


  • This topic is locked This topic is locked
5 replies to this topic

#1 Marco van Loon

Marco van Loon

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 15 October 2003 - 06:07 AM

[I e-mailed the following to Paypal through the Paypal security
center before I found these forums and thought this might also
interest people here...]

While browsing the documentation on adding donation buttons
to websites, I noticed something that has recently become a huge
problem:
The html form code for the button includes a plaintext e-mail address into
the html code.
What this means:
1) I put such a button on my website
2) someone visits the website and the webpages get stored in
their Internet Explorer's web cache
3) the person gets infected by a mass-mailing virus such as "Swen"
4) I get mailbombed with virus e-mails because the virus harvests my e-mail
address out of the donation button code in
their IE's webcache. :(

Since ridding the world of virusses or ridding it of the virus-prone
Outlook/Outlook Express is not an option, the only
option is to not use plaintext e-mail addresses on webpages.


I was hit reasonably hard by the Swen virus because I was stupid
enough to put my e-mail address un-munged on a newsgroup's FAQ
webpage (downloading 5-10Mbyte of virus-mails per day over dial-up
is not fun...) , so I prefer not to get into the same kind of
mess if I'd put a Paypal donate button on (a) webpage(s). :(


Marco van Loon (who runs Linux and can't get infected by the stupid
mailvirusses; just mailbombed by them... :( )


#2 PayPalSteve

PayPalSteve

    New Member

  • Members
  • 56 posts

Posted 15 October 2003 - 01:02 PM

There are ways to encrypt or even hide your code, you might want to check out the security options at:
http://iva.tech.nu or
http://www.pc-help.org/obscure.htm or http://www.dynamicdr...ndex9/encrypter

Steven N.
PayPal Tech Support
PayPal, an eBay company
http://www.paypal.com/pdn

#3 Marco van Loon

Marco van Loon

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 19 October 2003 - 05:16 PM

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by PayPalSteve
[br]There are ways to encrypt or even hide your code, you might want to check out the security options at:
http://iva.tech.nu or
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Those "obnoxifying" javascripts only work against certain webbrowsers
_and_ only if they've got javscript activated...
They certainly won't work against a virus' "string parser" parsing
a html file...
[qoute]
http://www.pc-help.org/obscure.htm or http://www.dynamicdr...ndex9/encrypter
[/quote]
Ah, obscuring, often used by spammers to try and circumvent
spamfilters. I'm guessing that many spamfilters already have
uri_unescape functions available and I doubt it will take long
for virus developers to adopt those functions into their virusses
if they haven't already. And then it's just a case of the virus,
instead of only scanning for some@thing, also scanning for some%40thing and some&64;thing to locate e-mail addresses... :(

Doing some Googling, I found losts of links of the type:
https://www.paypal.com/refer/pal/=[13-char-uppercase-alphanumeric-string]
so Paypal apparently has or had a system where some or all users
have/had some kind of userID string.
To me such a userID would seem an excellent idea to put into
the 'business' field of donations HTML forms instead of the e-mail address. No more e-mail address harvesting is possible for
virusses and spammers that way. :)


Marco van Loon


#4 BWWD2008

BWWD2008

    Member

  • Members
  • PipPip
  • 13 posts

Posted 11 May 2008 - 09:34 PM

But then that would mean each user would have to have a seperate id for each email address so they can set up paypal buttons with different email accounts they ahve listed in their paypal settings

If they just used one main paypal idcode this would not be possible to differentiate between the different businesses or sites they may be using through one paypal account

PayPal Donation Meter - http://www.PayPalDonationMeter.com

#5 stellarwebsolutionsnet

stellarwebsolutionsnet

    Junior Member

  • Members
  • 194 posts

Posted 18 May 2008 - 08:43 PM

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by Marco van Loon
[br][I e-mailed the following to Paypal through the Paypal security
center before I found these forums and thought this might also
interest people here...]

While browsing the documentation on adding donation buttons
to websites, I noticed something that has recently become a huge
problem:
The html form code for the button includes a plaintext e-mail address into
the html code.

<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

You can encrypt the buttons so that there is no plaintext email, rather than using the obfuscation techniques that don't work in all browsers, you can either generate an encrypted button with PayPal's button factory, or use this to generate your own dynamically:
http://www.stellarwe...ryption_php.php



Tyler
Stellar Web Solutions - e-Solutions for e-Commerce
Secure Payment, Ordering, Shipping, Electronic Goods Delivery
http://www.stellarwebsolutions.com/

Track PayPal Donations Live http://www.stellarwe...en/products.php

#6 john3

john3

    Junior Member

  • Members
  • 183 posts

Posted 22 May 2008 - 04:55 AM

Or if you have access to PHP or some other server side language
you could use the full "form" replacement for the button as
described on my site. (Look in the free code library section)

Personally I believe this to be more secure than using the rather
poor encryption the internet is legally allowed to use.

If you dissagree you can still encrypt on top as the method collects
the data via a form but still sends the relevant details as a "button"
It just gives you full flexibility when collecting the info from your customer.


john
www.streamforensics.com
Home of Data Minion
Automated forms & database validation




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users