PayPal’s Partner Program website (paypal-marketing.com) was plagued by a vulnerability that could have been exploited for remote code execution.
The security hole was identified by Milan Solanki, a member of Germany-based Vulnerability Lab. According to an advisory published by the security firm, the bug discovered by the expert is related to the Java Debug Wire Protocol (JDWP), the protocol used for communication between a debugger and the Java virtual machine which it debugs.
IOActive researchers showed in April 2014 that the JDWP service can be abused for reliable remote code execution. IOActive also released jdwp-shellifier, a tool designed to help penetration testers achieve remote code execution on the JDWP service.
Using IOActive’s tool, Solanki connected to the PayPal partner site on port 8000. Once connected, the expert said he was able to execute server-side commands with root privileges. The researcher published a video to demonstrate his findings.
Vulnerability Lab told SecurityWeek that PayPal awarded the researcher $1,500, the maximum bounty for security bugs found in partner websites.
“The security community’s contributions to PayPal’s Bug Bounty Program are what makes the program valuable and successful. Participants are rewarded based on the classification, security issue and overall vulnerability determined by PayPal’s security engineers,” PayPal told SecurityWeek. “We take remote code execution (RCE) vulnerabilities very seriously, and reward up to $1,500 for those found on partner sites. Sensitive information is not stored on these partner sites.”
According to PayPal, the bug found by Solanki was fixed within 48 hours. The company says it hasn’t found any evidence of unauthorized access or compromise to the server data.
This isn’t the only PayPal vulnerability identified by Solanki. Last month, the researcher reported uncovering a cross-site scripting (XSS) flaw for which the online payments system awarded him $750.
Details on the rewards offered by PayPal and instructions on submitting bugs can be found on the company’s Bug Bounty page.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
