Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Earns $10,000 For Reporting PayPal Account Hijacking Bug

Egyptian researcher Yasser Ali has found a way to bypass the cross-site request forgery (CSRF) protection mechanisms implemented by PayPal and take complete control of a user’s account.

Egyptian researcher Yasser Ali has found a way to bypass the cross-site request forgery (CSRF) protection mechanisms implemented by PayPal and take complete control of a user’s account.

The expert identified the vulnerability after analyzing the CSRF authentication tokens used when a PayPal customer makes a request to the website. For security measures, these tokens, which are included in the “Auth” parameter, are changed with every request. However, Ali discovered that the tokens were reusable for that specific email address or username.

The expert discovered that an attacker could obtain tokens that were valid for all users by accessing PayPal’s “Send Money” page. On this page, customers enter their email address, the recipient’s email address and the amount of money they want to send. Then, they are prompted to enter their email address/username and password to complete the process. However, Ali found that only the email address needed to be valid for the page to provide a valid token, which could be obtained by intercepting the POST request.

Once a valid authentication token was obtained, the attacker could perform a wide range of tasks on the victim’s behalf, such as adding email addresses, adding privileged users to a business account, changing security questions, changing payment methods, and modifying account settings. By changing the answers to the security questions, an attacker could set a new password for the targeted account, Ali explained in a blog post.

Since this is a CSRF attack, the malicious actor needs to convince the victim to click on a link in order for the attack to work.

PayPal addressed the vulnerability “very fast,” and rewarded the researcher with $10,000 for his findings.

“One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com,” a PayPal Spokespeson told SecurityWeek. “Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.”

The researcher has written a proof-of-concept script and published a video demonstrating how an attack could have been carried out.

Many vulnerabilities have been discovered over the past period by white hat hackers in PayPal services. Experts at Germany-based Vulnerability Lab have identified a flaw in an internal PayPal portal, and a mobile API bug that could have been leveraged to bypass a security feature.

In June, Duo Security disclosed a vulnerability that could have been exploited to bypass PayPal’s two-factor authentication mechanism.

The video below demonstrates how the CSRF vulnerability could have been leveraged to hijack PayPal accounts:

*Updated with statement from PayPal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.