Backbytes: Paypal-using merchant? Strapped for cash? Just take it - it's a feature, says Paypal

Paypal 'bug' that enables merchants to take unlimited amounts from accounts is a feature, not a bug, according to Paypal

If you want to make your living stealing from others, it's always best not to do it as a "sole trader", so to speak, but via a company. After all, if you steal from others by mugging them in the street or breaking and entering, the Old Bill will start to get interested after you do it the first couple of hundred times.

If you set up a company that does much the same thing, though, you can get much richer and the only official hassle you'll get is if BBC's Watchdog programme takes an interest in your activities.

Paypal, though, makes it even easier for such companies to fleece their customers - by enabling them to take unlimited extra amounts from transactions to cover, well, whatever they wish to take.

"In PayPal Express Checkout the Online-Shop can transfer any amount, no matter which amount the client actually confirmed at the PayPal website," claimed computer student Jan Kechel in a posting to Seclists.org. Regardless of whether the merchant took an extra €1 or €200, the "bug" discovered by Kechel worked a treat.

But when Kechel told Paypal, he was told that far from being a bug, the ability for merchants to take as much as they liked from customers - regardless of the price that the buyer had agreed to pay - was actually a "feature". Paypal claimed that it enabled merchants to tack on extras, such as postage and packing.

So, if you fancy a life of crime, don't mug old ladies: set up shop on the internet, take payment via Paypal, then charge as much as you like in "surcharges".

And that's a feature of Paypal, not a bug!

@backbytes