Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Find Vulnerability in Internal PayPal Portal

The existence of a vulnerability in a portal used internally by PayPal staff was recently disclosed by Germany-based security research company Vulnerability Lab.

The existence of a vulnerability in a portal used internally by PayPal staff was recently disclosed by Germany-based security research company Vulnerability Lab.

The security hole plagued an “Ethernet portal” used by PayPal employees to review user data in a secure way, Benjamin Kunz Mejri, the founder and CEO of Vulnerability Lab, told SecurityWeek. The expert managed to inject code into his own user profile, which got executed when someone from PayPal visited the profile.

“An application-side validation Web vulnerability and a filter bypass has been discovered in the official PayPal Inc. Ethernet portal backend application (API). The filter bypass allows remote attackers to evade the regular parse and encode filter mechanism of the PayPal online-service portal Web-application. The persistent input validation vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable service,” reads the advisory provided by Vulnerability Lab to SecurityWeek.

“In the attack scenario we injected malicious test codes with scripts in the most attractive values of the PayPal user profile database  ̶  `bank account owner/holder (cardholder)`, `name/surname`, `company name` and of course the `account owner`,” the researchers explained.

The flaw, which has been catalogued by the security firm as being critical, could have been exploited remotely by using a low-privilege PayPal account, and did not require any interaction from the victim. Attackers could have leveraged the security issue to hijack user sessions, gain access to the accounts database, compromise developer and administrator accounts, perform external redirects, and for persistent manipulation of affected or connected modules, Vulnerability Lab said.

The vulnerability, for which researchers received a $1,000 reward, was reported to the payment processor in February 2013 and it took the company around 10 months to address the issue. Vulnerability Lab got permission to disclose the existence of the flaw only on July 4, Kunz Mejri said.

Advertisement. Scroll to continue reading.

Interestingly, just before the details of the bug were disclosed to PayPal, the company’s security team contacted Kunz Mejri after noticing that whenever they accessed his security researcher profile they were presented with a message that read “Hi.”

Vulnerability in Internal PayPal Portal Screenshot

A proof of concept and the technical details for this vulnerability are available online.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.