Fraud scheme in PayPal allows anyone to increase balance endlessly

Razvan Cernaianu user described a method by which PayPal users could double their amount of money related to their account endlessly.

The expert at Cyber Smart Defence TinKode a.k.a Razvan Cernaianu claimed to have found a loophole in the PayPal service, for the precision in its Chargeback Process, which could be exploited by a bad actor to increase his balance in fraudulent way.23

“In the following lines I will explain to you a method by which you can double the money in your PayPal account… endlessly. You probably believe that I have found a web vulnerability of some sort. Unfortunately, it’s something much worse. To be more exact: it’s a problem with their TOS.” wrote TinKode.

TinKod noticed an anomalous behavior while making a transaction using PayPal back in 2010, he explained that a person was trying to scam him with his money using the same chargeback process.

Once noticed the attempt of scam and to avoid paying charges, he transferred all his money from his temporary account to his another real PayPal account. After a month, when he checked is Paypal balance he noticed that it was negative.

“A Chargeback, also known as a reversal, occurs when a buyer asks a credit card company to reverse a transaction that has already cleared” and this could be done when the buyer’s credit card number is stolen and used fraudulently or if seller tries to fraud.” said TinKode.

TinKode demonstrated to the PayPal security team the presence of a loophole in PayPal service which allows any user to double its amount endlessly. Following the description provided as proof of concept by using three separate PayPal account with one real and other two verified using Virtual Credit Card (VCC) and Virtual Bank Account (VBA).

POC Scenario:

“So for example, you have 500$ on your account. You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, use the charge-back function from the first account (the real one) to get the money back, with the excuse that the phone did not arrive on time. PayPal will initiate a process where both sides bring evidence for their defense. Obviously you will only send evidence from the first account showing that you were scammed. At the end of the trial the money will be restored to the primary account and the second account will have a negative balance of -500$. This way, you doubled the initial amount of money because you still have 500$ in the third account. As the second account is only a virtual one, it will not have real money from which PayPal can extract. Therefore you are left with 500$ restored by PayPal, and 500$ in your third account.”

TinKode has reported the fraud scheme to flaw to the PayPal Security team for bug bounty, but the company despite has admitted admitted a flaw in their Terms of Service (ToS), hasn’t recognized it as an application vulnerability.

“While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed.” PayPal replied.

I consider absurd to have excluded TinKode from the bug bounty, please do not reproduce this trick because it is illicit and PayPal could ban your account permanently.

Pierluigi Paganini

(Security Affairs – PayPal, Fraud)