Paypal phone home from freeware author's site?

[R. L.]

I realized that whenever I go to some sites where they use the
paypal button, it is not just a button that would bring you to
make donation, my firewall also alert me that it sends data to

Paypal immediately on each visit through the security port
(and bypass proxy) with or without you clicking on the button.
Is this behaviour known to the user who use the paypal button?
Or it is a rip off from paypal??





--
RL
Unofficial Adaware Updater; Little (File) Backer Upper; Uptime
Quickie; Tray Quickie; Google Quickie; Lefty Animated
Cursors;
http://home.earthlink.net/~ringomei/page2.html
*******************************************
Places that host a list of the Pricelessware annual voting
results and information:
http://www.pricelessware.org,
http://www.pricelesswarehome.org, http://www.earths-
ocular.com/mirror/www.pricelesswarehome.org/

 

[Larry Sabo]

I realized that whenever I go to some sites where they use the
paypal button, it is not just a button that would bring you to
make donation, my firewall also alert me that it sends data to

Paypal immediately on each visit through the security port
(and bypass proxy) with or without you clicking on the button.
Is this behaviour known to the user who use the paypal button?
Or it is a rip off from paypal??

Interesting. One of my clients had just over $13,000 CAD drawn from
his bank account by N-Pay and G-Pay, Paypal-like intermediaries. He
managed to get the bank to cancel the transfer before it was released
to the "seller" and has changed account numbers, passwords, etc, to
prevent it from happening again. We never did figure out how it
happened and I wonder if it was as you describe.

Larry

 

[Derald]

I realized that whenever I go to some sites where they use the
paypal button,

No chance of an example, eh?

 

[Bill Hinds]

In [email protected], R. L. spoke thusly...

I realized that whenever I go to some sites where they use the
paypal button, it is not just a button that would bring you to
make donation, my firewall also alert me that it sends data to

Paypal immediately on each visit through the security port
(and bypass proxy) with or without you clicking on the button.
Is this behaviour known to the user who use the paypal button?
Or it is a rip off from paypal??

I use PayPal on one of my sites and the cart buttons fill in hidden forms on
each webpage with just price and item data *only when clicked*, which is
then posted to PayPal. The view cart buttons simply reveal the form data
submitted. Of course, once you go to the payment page you're on PayPal's
turf and out of my hands, but there is nothing in the add and view cart code
that sends without initiation by the customer (at least in my configuration,
which is pretty standard). There are no web bugs or on-load events, nor has
PayPal suggested coding any such behaviors.

Here is an example of their button code - http://tinyurl.com/6fyvb.

If there is anything untoward going on with whatever site you're referring
to, it is the webmaster or site designer's doing. He/she has complete
control over the code on the site (unless it's a freebie like GeoCities
which injects advertising code into the sites they host) and there is no
good reason to pass information to PayPal (or a phony replication) without
the user's knowledge. The site designer shouldn't even be collecting
sensitive information like credit card numbers - that's all handled on the
PayPal site.

What is the url of the site you're referring to?

 

[Thorsten Duhn]

Hello,

I realized that whenever I go to some sites where they use the
paypal button, it is not just a button that would bring you to
make donation, my firewall also alert me that it sends data to

Paypal immediately on each visit through the security port
(and bypass proxy) with or without you clicking on the button.
Is this behaviour known to the user who use the paypal button?
Or it is a rip off from paypal??

I really can't believe, how this should work. There is HTML, there
is an image, and there is a link (maybe as form action). The only
way to track you and to call a unusual port is this image address,
so a example site would be nice. But the information tracked by
the download of just one picture is not that usefull, I believe.
I never have seen scripting code along with Paypal buttons.

Another chance would be some kind of plugin like Flash, but I never
have seen this on a Paypal donation button. And current browser
configuration forces a confirmation dialog.

What browser are you using, what firewall?

Regards,
Thorsten

 

[R. L.]

"Bill Hinds" <[email protected]> says in
:

If there is anything untoward going on with whatever site
you're referring to, it is the webmaster or site designer's
doing. He/she has complete control over the code on the
site (unless it's a freebie like GeoCities which injects
advertising code into the sites they host) and there is no
good reason to pass information to PayPal (or a phony
replication) without the user's knowledge. The site
designer shouldn't even be collecting sensitive information
like credit card numbers - that's all handled on the PayPal
site.

What is the url of the site you're referring to?

I am sure I will post them here. In fact there are MANY sites
do that. This is the one I see today:

http://werewolf.mine.nu/programming/Address/index.html


I use proxomitron and route everything to 127.0.0.1 So
typically if you go to a page, if you are using that port, my
port-based firewall won't say anything because I allow it.
However, whenever the paypal button is about to load, the
firewall will give out the 443 port alert, which is a port aht
usually used by security sites for security protocal:

'Firefox' from your computer wants to connect to
www.paypal.com [64.4.241.16], port 443

It almost happen to everypage I visit that use that button. I
just don't understand why I am just visiting the author page
but not yet click the button yet, and the browser would want
to collect to the link of that button automatically. I wonder
is it spying the site's visiters without letting the site
owner even to know about it. Or it is actually part of the
paypal deal...





--
RL
Unofficial Adaware Updater; Little (File) Backer Upper; Uptime
Quickie; Tray Quickie; Google Quickie; Lefty Animated
Cursors;
http://home.earthlink.net/~ringomei/page2.html
*******************************************
Places that host a list of the Pricelessware annual voting
results and information:
http://www.pricelessware.org,
http://www.pricelesswarehome.org, http://www.earths-
ocular.com/mirror/www.pricelesswarehome.org/

 

[R. L.]

Hello,

I really can't believe, how this should work. There is
HTML, there is an image, and there is a link (maybe as form
action). The only way to track you and to call a unusual
port is this image address, so a example site would be
nice.

this is the example I saw today:
http://werewolf.mine.nu/programming/Address/index.html
but in order to find out, you need to moniter port 443 in
particular.

But the information tracked by the download of just
one picture is not that usefull, I believe. I never have
seen scripting code along with Paypal buttons.

Yes, in fact it has been happening for a while, almost half
year (it is not my system, because I change system during that
time)

Another chance would be some kind of plugin like Flash, but
I never have seen this on a Paypal donation button. And
current browser configuration forces a confirmation dialog.

What browser are you using, what firewall?

It happened to IE when I first found that out and use Kerio to
just block everything from Paypal and forgot about it. At
that time I was using GreenBrowser. Then now because I just
switched to Firefox and also clear out some old rules in Kerio
(i.e., including the paypal one), and all of the sudden the
good old paypal attack come back again.





--
RL
Unofficial Adaware Updater; Little (File) Backer Upper; Uptime
Quickie; Tray Quickie; Google Quickie; Lefty Animated
Cursors;
http://home.earthlink.net/~ringomei/page2.html
*******************************************
Places that host a list of the Pricelessware annual voting
results and information:
http://www.pricelessware.org,
http://www.pricelesswarehome.org, http://www.earths-
ocular.com/mirror/www.pricelesswarehome.org/

 

[FYIS.org/estore]

In R. L. posted:

If there is anything untoward going on with whatever site
you're referring to, it is the webmaster or site designer's
doing. He/she has complete control over the code on the
site (unless it's a freebie like GeoCities which injects
advertising code into the sites they host) and there is no
good reason to pass information to PayPal (or a phony
replication) without the user's knowledge. The site
designer shouldn't even be collecting sensitive information
like credit card numbers - that's all handled on the PayPal
site.

What is the url of the site you're referring to?

I am sure I will post them here. In fact there are MANY sites
do that. This is the one I see today:

http://werewolf.mine.nu/programming/Address/index.html


I use proxomitron and route everything to 127.0.0.1 So
typically if you go to a page, if you are using that port, my
port-based firewall won't say anything because I allow it.
However, whenever the paypal button is about to load, the
firewall will give out the 443 port alert, which is a port aht
usually used by security sites for security protocal:

'Firefox' from your computer wants to connect to
www.paypal.com [64.4.241.16], port 443

It almost happen to everypage I visit that use that button. I
just don't understand why I am just visiting the author page
but not yet click the button yet, and the browser would want
to collect to the link of that button automatically. I wonder
is it spying the site's visiters without letting the site
owner even to know about it. Or it is actually part of the
paypal deal...

In the example you give, this web site is not using their own .gif
button on their server, but a .gif image on a secure server provided
by paypal and used at that site's option ... e.g.,
https://www.paypal.com/en_US/i/btn/x-click-but11.gif - the donate
button.
Paypal's options for creating donate html is at
https://www.paypal.com/us/cgi-bin/webscr?cmd=_xclick-donations-factory

The site owner does know about it, and has the option of using
Paypal's button from their secure server, or one of their own choosing
when creating the html code for the site. I have used many of Paypal's
'send-money' options; for example, like this one
http://smallurl.com/?i=15147 ;-).

DanlK, FYI Services
www.FYIS.org
Visit our re-opened eBay store @ http://tinyurl.com/35wgv !
____________________________________________
Don't forget to put this html code on your web page:
<SCRIPT language=JavaScript
src="http://www.georgewbush.com/WStuff/BPForm.aspx">
</SCRIPT>

 

[Gordon Abbot]

"Bill Hinds" <[email protected]> says in
:

If there is anything untoward going on with whatever site
you're referring to, it is the webmaster or site designer's
doing. He/she has complete control over the code on the
site (unless it's a freebie like GeoCities which injects
advertising code into the sites they host) and there is no
good reason to pass information to PayPal (or a phony
replication) without the user's knowledge. The site
designer shouldn't even be collecting sensitive information
like credit card numbers - that's all handled on the PayPal
site.

What is the url of the site you're referring to?

I am sure I will post them here. In fact there are MANY sites
do that. This is the one I see today:

http://werewolf.mine.nu/programming/Address/index.html


I use proxomitron and route everything to 127.0.0.1 So
typically if you go to a page, if you are using that port, my
port-based firewall won't say anything because I allow it.
However, whenever the paypal button is about to load, the
firewall will give out the 443 port alert, which is a port aht
usually used by security sites for security protocal:

'Firefox' from your computer wants to connect to
www.paypal.com [64.4.241.16], port 443

It almost happen to everypage I visit that use that button. I
just don't understand why I am just visiting the author page
but not yet click the button yet, and the browser would want
to collect to the link of that button automatically. I wonder
is it spying the site's visiters without letting the site
owner even to know about it. Or it is actually part of the
paypal deal...

Could be firefox prefetching a page. In Mozilla you have..
Preferences-advanced-cache-prefetch.

I really do not know if this is it, just a guess.

GA

 

[Thorsten Duhn]

Hy,

this is the example I saw today:
http://werewolf.mine.nu/programming/Address/index.html
but in order to find out, you need to moniter port 443 in
particular.

so that's it, like "FYI Services" also told. Port 443 is HTTPS*,
secure HTTP, and for that reason there's nothing to worry about.
I don't know, why the page author does such a strange thing,
but I believe he just does not know better. The pic can be
used with ordinary http as well, and many browsers react in
a sensible way for https connections. To avoid leaving a
secure connection without notice browsers often popup a
message, that you enter/leave a secure area. For that reason
including mixed http/https content may disturb visitors for no
reason...

The info, Paypal can collect with this is mostly useless, no
reason for spy/phoning home warnings.

Regards,
Thorsten

* http://www.iana.org/assignments/port-numbers

 

[Bill Hinds]

In [email protected], R. L. spoke thusly...

It happened to IE when I first found that out and use Kerio to
just block everything from Paypal and forgot about it. At
that time I was using GreenBrowser. Then now because I just
switched to Firefox and also clear out some old rules in Kerio
(i.e., including the paypal one), and all of the sudden the
good old paypal attack come back again.

As stated above in FYIs post, it is not an "attack," but simply the web
author using PayPal's buttons which are served by PayPal's secure servers on
port 443. When an image link appears on a webpage, your browser must connect
with the server (external or internal) to fetch the image (in this case, a
button). The only information they receive is the same info that every
website you visit receives: IP address, user agent, and possibly your OS and
which plugins you have enabled (Java, RealMedia, etc.). If you'll view
source on these pages, you will see that they are simple image links.

Of course, there's no harm in blocking PayPal if you don't intend to use
their services, but there's also no harm in allowing their buttons to be
displayed on the sites you visit. I personally prefer to use my own buttons
on my sites, though.

 

[R. L.]

I realized that whenever I go to some sites where they use
the paypal button, it is not just a button that would bring
you to make donation, my firewall also alert me that it
sends data to

Paypal immediately on each visit through the security port
(and bypass proxy) with or without you clicking on the
button. Is this behaviour known to the user who use the
paypal button? Or it is a rip off from paypal??

Hey, guys, thanks for all the clarification for this. Instead
of using one reply per post, I just would like to say thanks
here



--
RL
Unofficial Adaware Updater; Little (File) Backer Upper; Uptime
Quickie; Tray Quickie; Google Quickie; Lefty Animated
Cursors;
http://home.earthlink.net/~ringomei/page2.html
*******************************************
Places that host a list of the Pricelessware annual voting
results and information:
http://www.pricelessware.org,
http://www.pricelesswarehome.org, http://www.earths-
ocular.com/mirror/www.pricelesswarehome.org/