How I hacked PayPal to create money
I discovered this bug on Aug 31, 2014 when I was trying to set up PayPal on my website for accepting payments. I notified PayPal about this bug and and they have fixed it now.
So, how did it work? Simply put, Paypal charges you for accepting payments, but only if you have credit in your account, and they (used to) pay this charge back to you when you issue a refund.
I created a new PayPal account to be able to accept payments online, and tried to complete a transaction in which the price was only $0.01. I put the “Buy Now” button on my site and paid the price with my personal account.
I switched to my website account on PayPal, and saw that the transaction was successful. As I was planning to do a lot more transaction trials, I thought of refunding it and playing with different amounts of money. So I did.
I looked at my balance and saw that I had $0.29. I saw that this money came from PayPal when I refunded that $0.01. I sent that money to my personal account and repeated the process, and it worked again. WOW. I was literally creating money out of thin air on PayPal. This is a screenshot of my transactions:
As you can see, they would pay you back a month ago, but they do not pay it now, so it is safe to share what I have found. Three conditions were to be met for this bug to work:
- The account which receives the money should have a zero balance (or less than $0.3 at least)
- Transaction amount to this account should be lower than $0.3 ($0.01 to maximize gain)
- The account which receives the money should issue a refund. (This way it can get the money from PayPal, which it should not take because it was not able to pay it in the first place since there was not any money).
I understand that the case I came across might not be so easy to spot, but it is still interesting to see such mistakes can be done in such a big organization.
p.s. OK, I just came across a specific case, did not hack anything in that sense. I thought about writing a program to automate this process using their REST API, as any hacker would do, created a bug ticket instead☺.
I’m @demircancelebi at twitter.
