Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Find Vulnerability in Internal PayPal Portal

The existence of a vulnerability in a portal used internally by PayPal staff was recently disclosed by Germany-based security research company Vulnerability Lab.

The existence of a vulnerability in a portal used internally by PayPal staff was recently disclosed by Germany-based security research company Vulnerability Lab.

The security hole plagued an “Ethernet portal” used by PayPal employees to review user data in a secure way, Benjamin Kunz Mejri, the founder and CEO of Vulnerability Lab, told SecurityWeek. The expert managed to inject code into his own user profile, which got executed when someone from PayPal visited the profile.

“An application-side validation Web vulnerability and a filter bypass has been discovered in the official PayPal Inc. Ethernet portal backend application (API). The filter bypass allows remote attackers to evade the regular parse and encode filter mechanism of the PayPal online-service portal Web-application. The persistent input validation vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable service,” reads the advisory provided by Vulnerability Lab to SecurityWeek.

“In the attack scenario we injected malicious test codes with scripts in the most attractive values of the PayPal user profile database  ̶  `bank account owner/holder (cardholder)`, `name/surname`, `company name` and of course the `account owner`,” the researchers explained.

The flaw, which has been catalogued by the security firm as being critical, could have been exploited remotely by using a low-privilege PayPal account, and did not require any interaction from the victim. Attackers could have leveraged the security issue to hijack user sessions, gain access to the accounts database, compromise developer and administrator accounts, perform external redirects, and for persistent manipulation of affected or connected modules, Vulnerability Lab said.

The vulnerability, for which researchers received a $1,000 reward, was reported to the payment processor in February 2013 and it took the company around 10 months to address the issue. Vulnerability Lab got permission to disclose the existence of the flaw only on July 4, Kunz Mejri said.

Interestingly, just before the details of the bug were disclosed to PayPal, the company’s security team contacted Kunz Mejri after noticing that whenever they accessed his security researcher profile they were presented with a message that read “Hi.”

Vulnerability in Internal PayPal Portal Screenshot

Advertisement. Scroll to continue reading.

A proof of concept and the technical details for this vulnerability are available online.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.