Egyptian researcher Yasser Ali has found a way to bypass the cross-site request forgery (CSRF) protection mechanisms implemented by PayPal and take complete control of a user’s account.
The expert identified the vulnerability after analyzing the CSRF authentication tokens used when a PayPal customer makes a request to the website. For security measures, these tokens, which are included in the “Auth” parameter, are changed with every request. However, Ali discovered that the tokens were reusable for that specific email address or username.
The expert discovered that an attacker could obtain tokens that were valid for all users by accessing PayPal’s “Send Money” page. On this page, customers enter their email address, the recipient’s email address and the amount of money they want to send. Then, they are prompted to enter their email address/username and password to complete the process. However, Ali found that only the email address needed to be valid for the page to provide a valid token, which could be obtained by intercepting the POST request.
Once a valid authentication token was obtained, the attacker could perform a wide range of tasks on the victim’s behalf, such as adding email addresses, adding privileged users to a business account, changing security questions, changing payment methods, and modifying account settings. By changing the answers to the security questions, an attacker could set a new password for the targeted account, Ali explained in a blog post.
Since this is a CSRF attack, the malicious actor needs to convince the victim to click on a link in order for the attack to work.
PayPal addressed the vulnerability “very fast,” and rewarded the researcher with $10,000 for his findings.
“One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com,” a PayPal Spokespeson told SecurityWeek. “Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.”
The researcher has written a proof-of-concept script and published a video demonstrating how an attack could have been carried out.
Many vulnerabilities have been discovered over the past period by white hat hackers in PayPal services. Experts at Germany-based Vulnerability Lab have identified a flaw in an internal PayPal portal, and a mobile API bug that could have been leveraged to bypass a security feature.
In June, Duo Security disclosed a vulnerability that could have been exploited to bypass PayPal’s two-factor authentication mechanism.
The video below demonstrates how the CSRF vulnerability could have been leveraged to hijack PayPal accounts:
*Updated with statement from PayPal