Vulnerabilities

Flaw Allowed Hackers to Deliver Malicious Images via PayPal

PayPal has addressed a vulnerability that could have been exploited by hackers to insert malicious images into payment pages.

Eduard Kovacs

June 24, 2016

PayPal has addressed a vulnerability that could have been exploited by hackers to insert malicious images into payment pages.

Security researcher Aditya K Sood discovered that the URL of payment pages set up by PayPal users included a parameter called “image_url.” The value of this parameter could have been replaced with a URL pointing to an image hosted on a remote server.

This could have allowed an attacker to use a third-party vendor’s PayPal payment page to deliver malicious images. Sood demonstrated the existence of the flaw by displaying an arbitrary image on a vendor’s payment page, but he believes an attacker could have delivered a piece of malware or an exploit hidden in an image.

Cybercriminals have been known to use harmless-looking image files to hide malware. Such techniques have been used by the developers of the Lurk downloader, the Neverquest malware, the Stegoloader infostealer, and a Brazilian Trojan analyzed recently by Kaspersky.

“This is an insecure design as PayPal allows remote users to inject images owned by them into the PayPal components used for transactions by the customers,” Sood told SecurityWeek. “That being said, the question is — can you deliver malware or an exploit through images? The answer is yes. Exploit techniques such as Stegosploit can be used to achieve that.”

Image inserted into PayPal payment page

An attacker could have exploited this vulnerability by getting an unauthenticated user to click on a specially crafted link. The fact that the URL was hosted on paypal.com increased the likelihood of the victim opening the link.

The vulnerability was reported to PayPal in January, but it was patched only this month. The company initially said the report did not qualify for a bounty, but it later decided to fix the flaw and award Sood $1,000 for his findings.

The researcher believes this is a high risk issue and he is displeased that the company disagrees with his assessment. PayPal told the expert that the attack scenario he described is unlikely considering that there are much easier ways to deliver malware. The payment processor also noted that it’s actively scanning for malicious content.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George

Why CISOs Make Great Board Members

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make for successful board members.

Galina Antova

A Change in Mindset: From a Threat-based to Risk-based Approach to Security

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Marie Hattar