Connect with us

Hi, what are you looking for?



PayPal Fixes Remote Code Execution Flaw in Partner Program Website

PayPal’s Partner Program website ( was plagued by a vulnerability that could have been exploited for remote code execution.

PayPal’s Partner Program website ( was plagued by a vulnerability that could have been exploited for remote code execution.

The security hole was identified by Milan Solanki, a member of Germany-based Vulnerability Lab. According to an advisory published by the security firm, the bug discovered by the expert is related to the Java Debug Wire Protocol (JDWP), the protocol used for communication between a debugger and the Java virtual machine which it debugs.

IOActive researchers showed in April 2014 that the JDWP service can be abused for reliable remote code execution. IOActive also released jdwp-shellifier, a tool designed to help penetration testers achieve remote code execution on the JDWP service.

Using IOActive’s tool, Solanki connected to the PayPal partner site on port 8000. Once connected, the expert said he was able to execute server-side commands with root privileges. The researcher published a video to demonstrate his findings.

Vulnerability Lab told SecurityWeek that PayPal awarded the researcher $1,500, the maximum bounty for security bugs found in partner websites.

“The security community’s contributions to PayPal’s Bug Bounty Program are what makes the program valuable and successful. Participants are rewarded based on the classification, security issue and overall vulnerability determined by PayPal’s security engineers,” PayPal told SecurityWeek. “We take remote code execution (RCE) vulnerabilities very seriously, and reward up to $1,500 for those found on partner sites. Sensitive information is not stored on these partner sites.”

According to PayPal, the bug found by Solanki was fixed within 48 hours. The company says it hasn’t found any evidence of unauthorized access or compromise to the server data.

Advertisement. Scroll to continue reading.

This isn’t the only PayPal vulnerability identified by Solanki. Last month, the researcher reported uncovering a cross-site scripting (XSS) flaw for which the online payments system awarded him $750.

Details on the rewards offered by PayPal and instructions on submitting bugs can be found on the company’s Bug Bounty page.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.