SecPoint Logo

Man hacked PayPal Certificate

Moxie Marlinspike, an interestingly named white-hat hacker, quickly discovered that no good deed goes unpunished after his account was suspended by PayPal for inadvertently assisting the creation of a counterfeit certificate that enables anyone to hack the Internet payment processor.

Since 2002, he has added a PayPal donation button on his website's download page for a hacker program named SSLSniff and another one named SSLStrip.

To paraphrase PayPal's Acceptable Use Policy

(which was sent via email by the company's representatives to Marlinspike after his account was suspended), the PayPal site should not be utilized by anyone to send or receive payments for merchandise that sport the private and personal data of third parties that violates pertinent laws.

The correspondence further claims that the account suspension was a security measure they had to implement to protect Marlinspike and his account, and that they apologize for any inconvenience that resulted from their decision.

The message, which was sent on an unmonitored PayPal email address, doesn't discuss anything about the alleged item that has violated the online company's policies.

What's more, the shelving of Marlinspike's account has automatically frozen five hundred dollars worth of his online money up until he sends an affidavit bearing his signature that pledges that he has removed all PayPal logos from his website.

The whole debacle started when another hacker published a counterfeit SSL certificate last October 5; recognizing Marlinspike's connection with the development of the certificate, PayPal took action against the white-hat hacker's account even though he wasn't directly responsible for the exploitable hack.

According to him, he was the one who had warned the site about the SSL exploit in the first place, and they rewarded his attempts at helping them by suspending his account outright.

This is a troubling development for the IT security community because PayPal is seemingly penalizing a person whose discoveries and insights about the secure sockets layer (one of the Internet's longest used and most dependable measures against man-in-the-middle assaults) has been very useful to all sites who utilize SSL certification instead of attempting to find the real perpetrator of the incident.