Security Experts:

Connect with us

Hi, what are you looking for?



Flaw Allowed Hackers to Deliver Malicious Images via PayPal

PayPal has addressed a vulnerability that could have been exploited by hackers to insert malicious images into payment pages.

PayPal has addressed a vulnerability that could have been exploited by hackers to insert malicious images into payment pages.

Security researcher Aditya K Sood discovered that the URL of payment pages set up by PayPal users included a parameter called “image_url.” The value of this parameter could have been replaced with a URL pointing to an image hosted on a remote server.

This could have allowed an attacker to use a third-party vendor’s PayPal payment page to deliver malicious images. Sood demonstrated the existence of the flaw by displaying an arbitrary image on a vendor’s payment page, but he believes an attacker could have delivered a piece of malware or an exploit hidden in an image.

Cybercriminals have been known to use harmless-looking image files to hide malware. Such techniques have been used by the developers of the Lurk downloader, the Neverquest malware, the Stegoloader infostealer, and a Brazilian Trojan analyzed recently by Kaspersky.

“This is an insecure design as PayPal allows remote users to inject images owned by them into the PayPal components used for transactions by the customers,” Sood told SecurityWeek. “That being said, the question is — can you deliver malware or an exploit through images? The answer is yes. Exploit techniques such as Stegosploit can be used to achieve that.”

Image inserted into PayPal payment page

An attacker could have exploited this vulnerability by getting an unauthenticated user to click on a specially crafted link. The fact that the URL was hosted on increased the likelihood of the victim opening the link.

The vulnerability was reported to PayPal in January, but it was patched only this month. The company initially said the report did not qualify for a bounty, but it later decided to fix the flaw and award Sood $1,000 for his findings.

The researcher believes this is a high risk issue and he is displeased that the company disagrees with his assessment. PayPal told the expert that the attack scenario he described is unlikely considering that there are much easier ways to deliver malware. The payment processor also noted that it’s actively scanning for malicious content.

Related: Flaw Allowed Hackers to Abuse PayPal Confirmation Emails

Related: PayPal Patches Serious Flaw in Payment System

Related: Deserialization Bug in PayPal App Allowed Code Execution

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet