The eBay owned popular digital payment and money transfer service, PayPal has been found to be vulnerable to a critical web application vulnerability that could allow an attacker to take control over users’ PayPal accounts with just a click, thus affecting more than 156 millions PayPal users.
An Egyptian security researcher named Yasser Ali demonstrates in a YouTube proof-of-concept video how he was able to trick PayPal’s servers into thinking that he’d successfully logged in as any user. Ali evaded PayPal’s security checks by way of a CSRF (cross-site request forgery). By monitoring data sent back to PayPal via a POST request, he was able to capture a token that was valid for all its users.
Ali also figured out,the security questions on a PayPal account required no password authentication. Once he had the token in his possession, he was then able to gain full control over an account by modifying answers using a small Python script running on his own computer.
Here is the POC video
The vulnerability is of the Cross-Site Request Forgery (CSRF) type. The security hole is in the “Auth” token responsible for authenticating every single request made by the user. Although it is changed with every request made by the user, Ali found it is reusable for that specific user email address or username, meaning an attacker could use it to make actions on behalf of any logged-in user.
UPDATE: The security hole has since been plugged and PayPal have paid out rewards via its Bug Bounty Program.