PayPal Digital Gift Cards code leak

Martin Brinkmann
Sep 6, 2016

PayPal is not only a dominating force when it comes to making online transactions between individuals and companies, it also branched of in other areas such as gift cards.

You may visit the site PayPal Gifts to purchase gift cards for various popular online and offline services using a PayPal account.

The service has a security issue currently that is caused by an improperly configured server, or more precisely, a robots.txt file.

Basically, what happens is that search engines index the "here is your PayPal gift card" pages on the site. These pages show the code of the gift card among other things. This means that anyone may use the code to grab the credit before the recipient may have a chance to redeem it.

paypal gift card

Good news is that only a handful of pages are indexed currently by Google. The main reason for this is that the gift pages are not linked anywhere on the PayPal Digital Gifts site. This means that they can only come in the index of they are linked from a location that search engine bots have access to.

Customers who purchase gift cards using PayPal's Digital Gifts service need a PayPal account for that. Recipients on the other hand don't. They can take the code and redeem it directly using the service it was created for.

The service supports a wide variety of popular online services including iTunes, Google Play, Best Buy or Apple Music.

A robots.txt file is used by webmasters to "tell" search engine bots what they can and cannot crawl on the site.

The theory is that search engines ignore any "forbidden" area as indicated by the file so that it is not indexed.

Something that is not indexed cannot come up in the search results. PayPal on the other hand redirects the robots.txt file which means that it does not use one on the site.

While fairly limited in scope, it is an issue nevertheless, and one that does not paint PayPal in a kind light.

Take away: if you get a digital gift card, redeem it right away. If you buy one, make sure the recipient does so to avoid any issues with the information leaking online.

Now You: Do you use gift cards?

PayPal Digital Gift Cards code leak
Article Name
PayPal Digital Gift Cards code leak
Gift cards purchased using PayPal's Digital Gifts service may leak due to an improperly configured robots.txt file that does not prevent search engine indexing.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Trung said on October 4, 2016 at 10:30 pm
  2. Jason said on September 7, 2016 at 12:38 pm

    I think the leaked cards you can see on google was just a test by the crooks. The hack was much larger than this and thousands of people who bought gift cards on paypal are having their gift cards stolen:

  3. Chains The Bounty Hunter said on September 6, 2016 at 9:14 pm

    Explaining how this works seems… dubious. Granted, most of the time if people REALLY want to do things like this, then they’re probably aware of potentially even better ways to acquire the info they desire but still, having something like that graphic up essentially detailing it seems not good. But, this isn’t my site and it certainly isn’t my article, so my criticism of how information is disseminated through such things is rather worthless.

    As to the larger issue at hand, I have to assume SOMEONE involved with both the card site and Paypal is aware of this. Potentially to the end that any accounts redeeming the codes get flagged for review and if it’s determined that a single account has used a massive amount of redemptions in such a short period then the account could be closed without issue (or some other action taken).

    1. ams said on September 7, 2016 at 2:02 am

      “any accounts redeeming the codes get flagged for review”

      Chains, you’re missing the point (the point of “Why would anyone purchase a PayPal gift card”).
      The gift card mechanism is provided to accommodate the scenario where the intended recipient doesn’t have a PayPal account, or for reason of anonymity the prospective recipient doesn’t wish to REVEAL to the sender his email-address-of-record.

  4. fena said on September 6, 2016 at 2:27 pm

    Never & never use paypal or any other form of online money transfer. Too dangerous especially here in Asia

    1. ams said on September 7, 2016 at 2:08 am

      I’m saddened to to hear that.

      I’m in USA and (trading with other USA paypal users, via ebay and other ecommerce venues), across the past decade, across well over a thousand PayPal transactions… I’ve never encountered a bad incident.

  5. John said on September 6, 2016 at 1:08 pm

    Just send the money via Paypal to the email address. Paypal will then notifiy them and they can create an account with that email address.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.