Paypal vulnerable to critical web application vulnerability

  • 3
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    3
    Shares

The eBay owned popular digital payment and money transfer service, PayPal has been found to be vulnerable to a critical web application vulnerability that could allow an attacker to take control over users’ PayPal accounts with just a click, thus affecting more than 156 millions PayPal users.

An Egyptian security researcher named Yasser Ali demonstrates in a YouTube proof-of-concept video how he was able to trick PayPal’s servers into thinking that he’d successfully logged in as any user. Ali evaded PayPal’s security checks by way of a CSRF (cross-site request forgery). By monitoring data sent back to PayPal via a POST request, he was able to capture a token that was valid for all its users.

Ali also figured out,the security questions on a PayPal account required no password authentication. Once he had the token in his possession, he was then able to gain full control over an account by modifying answers using a small Python script running on his own computer.

Here is the POC video

The vulnerability is of the Cross-Site Request Forgery (CSRF) type. The security hole is in the “Auth” token responsible for authenticating every single request made by the user. Although it is changed with every request made by the user, Ali found it is reusable for that specific user email address or username, meaning an attacker could use it to make actions on behalf of any logged-in user.

UPDATE: The security hole has since been plugged and PayPal have paid out rewards via its Bug Bounty Program.

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply