CYBER NEWS

PayPal Patched a Scary Remote Code Execution Bug

paypal-bug-stfIt’s never good news when vulnerabilities are found in widely used services such as PayPal. Yes, one of the latest, quite scary remote code execution flaws was indeed discovered in PayPal by an independent researcher in December 2015.

Other PayPal-Related News:
PayPal Vulnerability Allows Account Hijacking
PayPal Phishing Schemes

Michael Stepankin has just reported a vulnerability that could enable malicious actors to take over production systems. The vulnerability is easily labeled critical as it affects manager.paypal.com. Luckily, it was patched soon after it was disclosed.

A deep look into the vulnerability shows that arbitrary shell commands could have been executed on PayPal web servers via Java object deserialization and gaining access to production databases.

Learn More about Java Deserialization Vulnerabilities

This is what the researcher has said, as reported by TheRegister:

While security testing of manager.paypal.com, my attention was attracted by unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding. After some research I realised that it’s a Java serialised object without any signature handled by the application [which] means that you can send serialised object of any existing class to a server and ‘readObject’ or ‘readResolve’ method of that class will be called.

Stepankin was rewarded $5000 for his findings. Interestingly enough, Stepankin’s bug report was more of a duplicate of another report sent to PayPal two days earlier by Mark Litchfield. Considering that fact, it’s weird that PayPal paid him. Bug bounty programs typically disregard duplicate reports.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...