Why does PayPal have so many bugs and security issues?

7 points

11 years ago

I don't know a single big player on the web that has similar amounts of bugs and security issues as PayPal -- not even close. Why is that?

* They have issues with their sign-in window opening in a pop-up/dialog instead of a new tab/window. [1]

* When I received money in a foreign currency recently, it didn't appear in my PayPal dashboard. I had to talk to three PayPal employees on the phone support before the fourth told me this was apparently a bug. All my settings were correct but I had to add an additional balance in the foreign currency, temporarily, to receive the money. Actually, I should be asked what to do with the foreign-currency amount (create new balance, convert, etc.).

* I'm using two-factor authentication and it's just annoying: On their main site, I can sign in, that's fine. On other pages, they just ask me for the 2FA token from my token generator (which I don't have) and don't offer the SMS verification which should be there, too. Somestimes I have to disable 2FA completely before I can perform certain actions.

* Until a few days ago, you could capture CSRF tokens that were valid for all accounts, not just your own. [2]

* They have XSS vulnerabilities from time to time. Okay, lots of sites have those. If you don't escape by default, this can happen, although it shouldn't. [3][4]

I know, big legacy code base. But other companies have similar challenges. PayPal wants to work with your money, they should be as least as good as Twitter, Facebook, Github, and hundreds of other sites that work better.

[1] http://homakov.blogspot.de/2014/12/new-paypal-gateway-ui-is-disaster.html [2] http://www.theregister.co.uk/2014/12/04/paypal_csrf_bug_bounty/ [3] https://nakedsecurity.sophos.com/2013/05/29/paypal-refuses-to-pay-bug-finding-teen/ [4] http://www.forbes.com/sites/firewall/2010/10/06/hackable-bug-found-on-paypal-com/

5 comments