Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PayPal Fixes Remote Code Execution Flaw in Partner Program Website

PayPal’s Partner Program website (paypal-marketing.com) was plagued by a vulnerability that could have been exploited for remote code execution.

PayPal’s Partner Program website (paypal-marketing.com) was plagued by a vulnerability that could have been exploited for remote code execution.

The security hole was identified by Milan Solanki, a member of Germany-based Vulnerability Lab. According to an advisory published by the security firm, the bug discovered by the expert is related to the Java Debug Wire Protocol (JDWP), the protocol used for communication between a debugger and the Java virtual machine which it debugs.

IOActive researchers showed in April 2014 that the JDWP service can be abused for reliable remote code execution. IOActive also released jdwp-shellifier, a tool designed to help penetration testers achieve remote code execution on the JDWP service.

Using IOActive’s tool, Solanki connected to the PayPal partner site on port 8000. Once connected, the expert said he was able to execute server-side commands with root privileges. The researcher published a video to demonstrate his findings.

Vulnerability Lab told SecurityWeek that PayPal awarded the researcher $1,500, the maximum bounty for security bugs found in partner websites.

“The security community’s contributions to PayPal’s Bug Bounty Program are what makes the program valuable and successful. Participants are rewarded based on the classification, security issue and overall vulnerability determined by PayPal’s security engineers,” PayPal told SecurityWeek. “We take remote code execution (RCE) vulnerabilities very seriously, and reward up to $1,500 for those found on partner sites. Sensitive information is not stored on these partner sites.”

Advertisement. Scroll to continue reading.

According to PayPal, the bug found by Solanki was fixed within 48 hours. The company says it hasn’t found any evidence of unauthorized access or compromise to the server data.

This isn’t the only PayPal vulnerability identified by Solanki. Last month, the researcher reported uncovering a cross-site scripting (XSS) flaw for which the online payments system awarded him $750.

Details on the rewards offered by PayPal and instructions on submitting bugs can be found on the company’s Bug Bounty page.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.