0

I've looked deep into a Donation Reward system integrated on a game, and found out that they do validate their donations on paypal through the email that paypal sends back as confirmation to their email. I've got some similar game-files, de-compiled (JAVA) the sources and found this ->

if (((msgCont instanceof String)) && (from.endsWith("<member@paypal.com>")))
    {
      String str = msgCont.toString();
      String[] strs = str.split("\n");
      if (strs[2].startsWith("This email confirms that you have received a donation of€")) {
        Main.handleDonation("Paypal", strs[2].split("\\)")[0].split("\\(")[1], str.split("Confirmation number: ")[1].substring(0, 17), (int)Double.parseDouble(strs[2].substring(57, strs[2].indexOf(" EUR"))));
      } else {
        System.out.println("[FATAL] Corrupted donation from:\n->" + from + " (Please check this eMail)");
      }
    }

As you can see they check the tag FROM if ends with -> <member@paypal.com>

So the trick here to exploit their system would be to send an email with a FROM tag that ends with member@paypal.com. I've tried a few php based spooffers, but no luck yet.

Any idea if thats possible? I am asking mostly to know if this kind of validation is secure.

Jim Lewis
  • 43,505
  • 7
  • 82
  • 96
usrnvm43894
  • 95
  • 1
  • 8
  • Doesn't look very robust, nor does it look very secure. – Kayaman Apr 04 '18 at 17:36
  • 1
    Are you asking if it's possible to send spoof email? **Yes**. Are you asking if the posted code is reliable or secure? I would say **no**. However, **why** would they post their server validation code in their client? That is, why assume this is the only validation? – Elliott Frisch Apr 04 '18 at 17:39
  • But i said that i own somehow similar game-files.The code I've posted is from the server files and not the client. Considering your first "Yes", their system is vulnerable . – usrnvm43894 Apr 04 '18 at 17:45
  • So you've stolen some code and now you're going to try to commit fraud, but you're not exactly sure how to do that, so you're asking for help? How close am I on a scale of 1-5? – Kayaman Apr 04 '18 at 17:53
  • Well,i would say 1. Files are shared over the internet, and i was willing to use them as well as a base. I've tried to re-produce the exploit to be sure that its secure. The game we are talking is no longer available or online. So no offence but i think you are overthinking – usrnvm43894 Apr 04 '18 at 18:02
  • Not really, I just don't trust a lot of people here. But yeah, you don't rely on something like email when money is involved. – Kayaman Apr 04 '18 at 18:06

0 Answers0