Security Alerts & News
by Tymoteusz A. Góral

History
#1750 Amazon and eBay sellers' VAT fraud rife despite crackdown
Huge numbers of VAT fraudsters are illegally selling goods tax-free to British shoppers on Amazon and eBay this Christmas, despite new government efforts to crack down on this ballooning £1bn VAT evasion crisis.

A Guardian investigation found a wide variety of popular goods being illegally sold without VAT on Britain’s leading shopping sites. They range from cheap Christmas tree lights, electric toothbrushes and thermal socks to expensive laptops, iPads, music keyboards, violins and pingpong tables.

In some cases, VAT fraudsters offer unbeatable prices. Mostly, however, their prices remain in line with law-abiding competitors and the proceeds of evasion disappear overseas, often to China.
#1749 PayPal fixes OAuth token leaking vulnerability
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application.

The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. For its part, PayPal remedied the vulnerability about three weeks ago.

The OAuth flaw, according to Sanso, stemmed from the token request and acquisition process. For starters, PayPal allows developers to create and edit their own apps through its developer application dashboard. After creating them, developers can register those apps and obtain an access token for them by sending a request to the company, which acts an authorization server. That PayPal server could be overridden however, Sanso found.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12