Hacker News new | ask | show | jobs
by 411111111111111 1226 days ago
That's inherent to features that allow user generated content, which is obviously mandatory in the context of PayPals invoicing feature.

The only reason why companies don't care about it in the context of mail is because there is no equivalent to safe browsing for mails, so Domains aren't penalized by Google for sending fraudulent messages at small scale. If this was to change, they'd all pivot to using secondary domains for these mails, like GitHub does for GitHub pages.

It would also be a pretty pointless feature as you'd probably complain anyway, as the email would still come from a Paypal owned domain.

On the same topic: if you've got a Gmail address you're also able to send from @googlemail.com

Is this another security issue in your opinion?
1 comments
patentatt 1226 days ago
How about disallowing urls or even just vetting urls in the messages sent from your own service? One of the ones I received was a link to a fake PayPal login that was something along the of lines of (making this up) http://login.PayPal.com.somethingsketchy.biz/login.php and was a replica of the PayPal login screen. It was pretty blatant. Seems like they should figure out a way to avoid that is all, because I know my mother would have put in her PayPal credentials to that site and I'd be hard pressed to fault her for it. We train users to check if it's a valid/real email before clicking on links and this was a perfectly real email sent from PayPal with a malicious link. This seems like PayPal's responsibility to me. I'm shocked they don't care about this.
link
411111111111111 1226 days ago
Vetting is impossible, the scammers can just change the content of the page after the PayPal bot requested the website. Human vetting is even more impossible, invoices will always require unique links for each mail.

Nor does it matter wherever it's a clickable link or text in this context. The only way to "solve" your issue is by removing user generated content, which makes the invoicing feature inherently impossible.

If you're seriously shocked that PayPal isn't decommissioning a highly profitable feature because a random carebear worries about their family... Then you're honestly out of touch with reality.

Most people nowadays know that emails are untrustworthy, and if your family doesn't... Then you should tell them that, as they're bound to get scammed eventually if they click on any links from their inbox.

link
crtasm 1226 days ago
http://login.PayPal.com.somethingsketchy.biz/login.php

paypal in a URL pointing to a non-paypal domain, no need to load the webpage to flag that.

link