Connect with us

Hi, what are you looking for?


Application Security

Deserialization Bug in PayPal App Allowed Code Execution

PayPal has addressed a serious remote code execution vulnerability caused by a Java deserialization bug disclosed last year, and shared some recommendations for security practitioners based on the lessons learned in the process of dealing with the issue.

Deserialization of Untrusted Data

PayPal has addressed a serious remote code execution vulnerability caused by a Java deserialization bug disclosed last year, and shared some recommendations for security practitioners based on the lessons learned in the process of dealing with the issue.

Deserialization of Untrusted Data

In January 2015, researchers Chris Frohoff and Gabriel Lawrence explained how poor coding practices can lead to Java deserialization flaws and allow arbitrary code execution. The experts also released a tool for generating payloads that exploit unsafe Java object deserialization.

Their presentation at the AppSecCali conference went largely unnoticed until November, when FoxGlove Security demonstrated how easy it is for an attacker to exploit the vulnerabilities against Oracle WebLogic, IBM WebSphere, Red Hat’s JBoss, Jenkins, OpenNMS and other applications that rely on the Apache Commons Collections Java library.

Serialization is a process in which an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process where serialized data is extracted is called deserialization. Vulnerabilities can appear when the developers of applications that use serialization fail to ensure that untrusted serialized data is not accepted for deserialization.

Apache Commons Collections developers patched the flaw, but the issue is not specific to this Java library. SourceClear researchers reported in early December that they had identified tens of other libraries that could introduce similar vulnerabilities. Furthermore, as PayPal has pointed out, deserialization of untrusted data is not specific to Java either. Mitre’s description of the issue notes that it can affect applications built on platforms such as Python, PHP and Ruby.

Java Deserialization Vulnerability in PayPal Application

Advertisement. Scroll to continue reading.

After FoxGlove Security published its exploits for applications using Apache Commons Collections, PayPal started analyzing its own apps in an effort to determine which of them are affected. The company’s initial assessment, which focused on its core Java frameworks, showed that they hadn’t used any of the vulnerable classes in the Apache library.PayPal fixes Java deserialization vulnerability

However, a remote code execution bug report submitted to PayPal on December 11 by Mark Litchfield, founder of the Bug Bounty HQ service and one of the top researchers in the payment processor’s bug bounty program, showed that the issue did affect one of the company’s apps. Litchfield used the exploit generator published by Frohoff and Lawrence to demonstrate the existence of the flaw.

PayPal missed the flaw in its initial assessment because the application was not in its core Java frameworks.

While PayPal did not disclose the name of the vulnerable application in its blog post, security researcher Michael Stepankin said he reported the same flaw two days after Litchfield. In a blog post published on Monday, Stepankin released technical details and a video demonstrating the existence of the vulnerability in PayPal’s Manager portal hosted at

The researcher said the vulnerability allowed him to execute arbitrary shell commands on PayPal’s servers and gain access to production databases.

“I realized that I could execute arbitrary OS commands on web servers and moreover, I could establish a back connection to my own internet server and, for example, upload and execute a backdoor. In result, I could get access to production databases used by application,” Stepankin said.

The researcher told SecurityWeek that PayPal awarded him $5,000 despite classifying his submission as a duplicate.

“While we acknowledge it is not our typical practice, we can confirm that two researchers were awarded payments in connection with the same bug,” PayPal told SecurityWeek.

Advice From PayPal

PayPal has provided a series of recommendations for handling such complex Java deserialization vulnerabilities on a large scale.

The company advises security practitioners to invest in tools and technologies that help inventory applications, libraries and their dependencies, and implement monitoring until a proper patch is applied. On short term, organizations should focus on patching high-risk systems that are exposed to the Internet. On long term, organizations should keep in mind that deserialization problems are not specific to Apache Commons Collections or Java and either completely turn off object serialization everywhere or learn how to address the risks.

“We understand that today’s application infrastructure is complex and you don’t own/control all the code that runs in your environment. This specific deserialization vulnerability is much larger than any of us initially anticipated – spanning across open source components, third-party commercial tools and our own custom code,” PayPal said. “Other organizations should treat this seriously as it can result in remote code execution and implement security controls for long-term remediation, and not stop just at patching the commons-collections library.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.