Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

PayPal Fixes Vulnerabilities In MultiOrder Shipping Application

PayPal has fixed a filter bypass flaw and a persistent input validation vulnerability affecting its MultiOrder Shipping application.

PayPal MultiOrder Shipping (MOS) is a tool that helps eBay businesses save time by allowing them to print up to 50 US Postal Service shipping labels at a time directly from their PayPal accounts.

PayPal has fixed a filter bypass flaw and a persistent input validation vulnerability affecting its MultiOrder Shipping application.

PayPal MultiOrder Shipping (MOS) is a tool that helps eBay businesses save time by allowing them to print up to 50 US Postal Service shipping labels at a time directly from their PayPal accounts.

Ateeq ur Rehman Khan, an expert from Germany-based security research firm Vulnerability Lab, is the one who identified and reported the remotely-exploitable vulnerabilities to PayPal.

The researcher found a way to bypass security filters by intercepting POST requests and injecting the malicious payload directly without having to use the tool’s Web interface.

The input validation flaw affected the “Preset Name” field located in the application’s settings menu and it enabled an attacker to inject malicious code. Since the vulnerability was persistent, an attack only required an account with low privileges and limited user interaction.

“The vulnerability is exploitable for stand-alone user accounts but also for multi-accounts in PayPal,” reads the advisory provided by Vulnerability Lab to SecurityWeek. “A remote attacker is able to create multiple customer orders with injected payloads. When the admin merchant account user logs in and checks the Paypal Multi Online Shipping Orders, the exploit gets triggered.”

PayPal Vulnerability in Present Shipping Name

(Click Images for Larger View)

Code Example in PayPal Multi Shipping Vulnerability

According to Vulnerability Lab, the flaws could have been leveraged to hijack user sessions, for phishing attacks, persistent external redirects, and persistent manipulation of connected or affected module context.

There’s no evidence that these security holes were exploited in the wild before PayPal fixed them. Vulnerability Lab published a proof-of-concept for this attack only after the issues were addressed.

The vulnerabilities were reported to PayPal in August 2013. However, PayPal confirmed addressing the issues only on May 10, 2014. The security research company published its report on Wednesday.

The payment processor has rewarded $1,000 to the researcher for responsibly disclosing the security holes.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.