Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

PayPal Fixes Vulnerabilities In MultiOrder Shipping Application

PayPal has fixed a filter bypass flaw and a persistent input validation vulnerability affecting its MultiOrder Shipping application.

PayPal MultiOrder Shipping (MOS) is a tool that helps eBay businesses save time by allowing them to print up to 50 US Postal Service shipping labels at a time directly from their PayPal accounts.

PayPal has fixed a filter bypass flaw and a persistent input validation vulnerability affecting its MultiOrder Shipping application.

PayPal MultiOrder Shipping (MOS) is a tool that helps eBay businesses save time by allowing them to print up to 50 US Postal Service shipping labels at a time directly from their PayPal accounts.

Ateeq ur Rehman Khan, an expert from Germany-based security research firm Vulnerability Lab, is the one who identified and reported the remotely-exploitable vulnerabilities to PayPal.

The researcher found a way to bypass security filters by intercepting POST requests and injecting the malicious payload directly without having to use the tool’s Web interface.

The input validation flaw affected the “Preset Name” field located in the application’s settings menu and it enabled an attacker to inject malicious code. Since the vulnerability was persistent, an attack only required an account with low privileges and limited user interaction.

“The vulnerability is exploitable for stand-alone user accounts but also for multi-accounts in PayPal,” reads the advisory provided by Vulnerability Lab to SecurityWeek. “A remote attacker is able to create multiple customer orders with injected payloads. When the admin merchant account user logs in and checks the Paypal Multi Online Shipping Orders, the exploit gets triggered.”

PayPal Vulnerability in Present Shipping Name

(Click Images for Larger View)

Code Example in PayPal Multi Shipping Vulnerability

According to Vulnerability Lab, the flaws could have been leveraged to hijack user sessions, for phishing attacks, persistent external redirects, and persistent manipulation of connected or affected module context.

Advertisement. Scroll to continue reading.

There’s no evidence that these security holes were exploited in the wild before PayPal fixed them. Vulnerability Lab published a proof-of-concept for this attack only after the issues were addressed.

The vulnerabilities were reported to PayPal in August 2013. However, PayPal confirmed addressing the issues only on May 10, 2014. The security research company published its report on Wednesday.

The payment processor has rewarded $1,000 to the researcher for responsibly disclosing the security holes.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.