May 5, 2007

Hacking PayPal

First of all I need to make a huge disclaimers. So here I go. This is highly illegal, and you could get arrested for doing such a thing. I except no responsibility for your actions.

Not only that but I purposely waited as long as I did to post this topic. Mostly because I was waiting for paypal to tell me they have fixed the problem. So if you try it and it works, then they lied, please tell me, and I will harass them and take this blog down. So it does not work anymore.

But there was a security flaw in the paypal mailer bot awhile back. If you sent a message to it you would get all the info of all the users who sign up to paypal in a certain number of hours. Hence if you told the bot to give you all the info of all the users who have signed up in the past 24 hrs you would get all the passwords, e-mail addresses, account info to all the users that have signed up to paypal in the past 24 hrs.

This is how it works.

Most paypal users are recognized by paypal by there E-Mail addresses. 87% of all paypal user use either Yahoo or Hotmail E-Mail accounts. This includes me. After the user signs up to paypal, and has confirmed he is who he claims he is (usually by giving Credit Card Info or a checking account info. The information gets put in the paypal mailerbot (there are 2 main paypal mailerbots. Yahoo mailerbot and Hotmail mailerbot), where it then sends the user the comfirmination E-Mail to the user. So this is where the flaw lies.

What you need
1: A yahoo or hotmail e-mail account.
2: A confirmed PayPal account.

So if have one of these you could have done this.
So what you would do is this. Log into your Yahoo e-Mail account by going to http://mail.yahoo.com. The you would send an e-Mail to servermailerbot0k010m1@yahoo.com.
In the subject line you would write exactly this.
0yah3534paypal78verif-0e24 (this confuses the mailerbot)

Then in the body you would write exactly 12 lines. No more & no less. And they must be exactly as I wrote them unless other wise stated.

In line 1: Content-Type: text/plain;

In line 2: charset=us-ascii (To make the reply readable)

In line 3: address000%%confirmation0e24.yahoo.com (To confuse the mailerbot)

In line 4: p38ylec00rm::s%%http://www.paypal.com%% (To make the mailerbot start retrieving information acquired from PayPal.)

In line 5: Your primary email at paypal (such as yourname@yahoo.com But it needs to be your primary paypal e-mail from paypal)

In line 6: start (retrieve > 0) (To activate the mailerbots retrieval function)

In line 7: verified (*value= = float) (To continue the mailerbots retrieval function)

In line 8: Your PayPal password (mypassword, Because the yahoo mailerbot was programmed in a way that it sends testing info to PayPal wholl verify each accounts password and confirm it with the Yahoo mailerbot. So in line 8, you have to enter your valid/correct password of your PayPal account.)

In line 9: #searchmsgend72hr (To search for info of PayPal members who had their addresses confirmed in the last 72 hours if you want to search for a longer period of time it would be (#searchmsgend90hr) that will get everones info from the past 90 hrs.)

In line 10: Your yahoo email password (By entering the password of your email. The yahoo mailerbot will assume this is a command from the administrator and will send out information to the administrator who is actually you.)

In line 11: send&&idR20034-tsa-0583 (This will make the mailerbot send all the info to your email)

In line 12: #endofmsg (Last step!)

Once again this does not work anymore. So you can try it but nothing will happen. But if it did work and you use any of the info that you receive for criminal acts you will get cought and prosecuted.