LoopHole in PayPal Terms Allows Anyone to Double PayPal Money Endlessly

[Reefa]

Many of us own a PayPal account for easy online transactions, but most of us don’t have balance in our PayPal Account. But what will happen if your money doubles, triple...or even more folds in just some couple of hours ?? Sounds cherishing!!

A loophole in the popular digital payment and money transfer service, PayPal allows its users to double the money in their account and that too endlessly. That means with only $50 in your PayPal account, you can make it to $100, then $100 to directly $200 and so on.

An eBay owned company, PayPal provides a faster and safer way to pay and get paid. The service gives people simpler ways to send money without sharing financial information, with over 148 million active accounts in 26 currencies and across 193 markets, thereby processing more than 9 million payments daily.

According to TinKode a.k.a Razvan Cernaianu, who claimed to have found this loophole in the PayPal service that actually resides in its Chargeback Process which could be exploited to do fraud with PayPal.

Tinkode is a convicted former Romanian hacker, who was arrested in year 2012 for attacking NASA, Oracle, Pentagon, U.S. Army and many more high profile websites and that time he was ordered to pay damages totalling more than US$120,000.

“A Chargeback, also known as a reversal, occurs when a buyer asks a credit card company to reverse a transaction that has already cleared” and this could be done when the buyer's credit card number is stolen and used fraudulently or if seller tries to fraud.

He noticed the flaw while making a transaction using PayPal with a person back in 2010, who was trying to scam him with his money using the same chargeback process. To avoid paying charges, he transfer all his money from his temporary account to his another, real PayPal account. But, when he checked after a month, he noticed that his account balance was negative i.e. $50.

Exactly this trick he demonstrated to PayPal security team, which allows anyone to double their amount endlessly. In a proof of concept explanation he detailed that by making three separate PayPal account with one real and other two verified using Virtual Credit Card (VCC) and Virtual Bank Account (VBA).

POC Scenario:

“So for example, you have 500$ on your account. You transfer the money to the second account with the pretext of buying a phone. From the second account you again transfer the money to the third account as a gift. After 24 hours, use the charge-back function from the first account (the real one) to get the money back, with the excuse that the phone did not arrive on time. PayPal will initiate a process where both sides bring evidence for their defense. Obviously you will only send evidence from the first account showing that you were scammed. At the end of the trial the money will be restored to the primary account and the second account will have a negative balance of -500$. This way, you doubled the initial amount of money because you still have 500$ in the third account. As the second account is only a virtual one, it will not have real money from which PayPal can extract. Therefore you are left with 500$ restored by PayPal, and 500$ in your third account.”

TinKode already reported the flaw to PayPal Security team for bug bounty and they admitted it as a flaw in their Terms of Service (ToS), but not as a web application vulnerability. “While the abuse described here is possible in our system, repeated abusive behavior by the same and/or linked account(s) is addressed.” PayPal replied.

TinKode is not eligible for bug bounty, but we thank him for exposing this fraud technique that could be already in use by some criminals to generate money illegally. Anyone with little technical knowledge can reproduce this trick, but readers are advised to do not try to use this trick as PayPal could ban your account permanently.

Source

[Enigmatism]

This pales in comparison to Fractional Reserve Lending, which is for some reason legal for banks but it devalues the currency.

[Rok]

What "double PayPal money endlessly" ? Cann't believe it. :( Has anyone here been able to make it ? :P

[Dodel]

You could pull off essentially the same stunt with a limited company in place of the seller account and using credit cards for the "purchase", or in fact any arrangement that doesn't have some form of withholding to back a payment protection scheme. This isn't a bug, it's a risk of doing business for payment platforms.

[CODYQX4]

.

Edited April 28, 2019 by CODYQX4

[nickloon]

Now we can conjure money out of thin air just like the mega banks :lol:.

as the loophole already known by paypal i don't think it will still working .

[iih1]

@Rok

Me just uses Normal Paypal..and should added also my CC more CC added the better as Paypal said..not yet tried.. :unsure:

[Rok]

@Rok

Me just uses Normal Paypal..and should added also my CC more CC added the better as Paypal said..not yet tried.. :unsure:

@iih1, I don't personally add my CC's to online portals until it is "necessary." Since, VCC's are now available with almost "every financial institutions," I have now switched over to using VCC online.

Edited June 16, 2014 by Rok

[iih1]

@Rok

Me just uses Normal Paypal..and should added also my CC more CC added the better as Paypal said..not yet tried.. :unsure:

@iih1, I don't personally add my CC's to online portals until it is necessary. Since, VC are now available almost with every financial institutions, I have just got rid-off using CC online.

already switch to VCC...more less risk..btw thanks for your attention.....i will ask you ..for this..used rarely just if necessary.

[humble3d]