[thelist] What method does Paypal use to do this?

Jonathan_A_McPherson at rl.gov Jonathan_A_McPherson at rl.gov
Wed Aug 21 18:43:03 CDT 2002


> Question: How is this accomplished? If a user gave
> their username and password voluntarily to a website
> (called them company A), could that website go out and
> gather all of the user's information in their account
> at company "B"? Could it come back in a usable format?

In a word: Yes.

I don't know how PayPal does it -- I've never used it or ebay -- but this is
theoretically not difficult at all.

All you have to do is write software that "pretends" to be the user you have
username/password information for on the other site. For instance, I could
write a program that automatically went to my bank's account management
page, entered my username and password, and then parsed the HTML that came
back to see what my account balance was. (I wouldn't do this for security
reasons, of course, but there's no reason I couldn't.) The program can get
any information that I could on the Web site. All it needs to know is
_exactly_ how the site is laid out and where in the resultant data the
interesting information is.

Simulating users on the Web is nothing new. Web site "stress test" kits have
been doing it for ages. Web spiders do it too; they just can't get past
login screens -- unless they have a valid login!

Now, the limiting factor here is that Company A can only see/do things that
the user could see/do themselves on Company B's web site. There is no magic
involved; the program Company A is running just pretends to be the user on
Company B's web site and then tries to make sense of the HTML that comes
back.

If Company B does not want this to happen, they can take countermeasures.
They can write their pages so they come back with slightly different code
every time to frustrate Company A's parsing efforts. They can limit the
amount of data about the user that gets displayed. But in the end, it will
become a technical fighting match between Company B's programmers, who want
to ensure only humans are using their site, and Company A's programmers, who
want their programs to appear as humans.

So -- to make a long story short -- if PayPal has your username/password on
Ebay, they can pretend to be you on Ebay, and therefore they can gather any
data and make any changes that you could yourself after logging in.

--
Jonathan McPherson, LMIT/SD&I
Software Engineer & Web Systems Analyst
email / jonathan_a_mcpherson at rl dot gov



More information about the thelist mailing list