It’s never good news when vulnerabilities are found in widely used services such as PayPal. Yes, one of the latest, quite scary remote code execution flaws was indeed discovered in PayPal by an independent researcher in December 2015.
Michael Stepankin has just reported a vulnerability that could enable malicious actors to take over production systems. The vulnerability is easily labeled critical as it affects manager.paypal.com. Luckily, it was patched soon after it was disclosed.
A deep look into the vulnerability shows that arbitrary shell commands could have been executed on PayPal web servers via Java object deserialization and gaining access to production databases.
Learn More about Java Deserialization Vulnerabilities
This is what the researcher has said, as reported by TheRegister:
While security testing of manager.paypal.com, my attention was attracted by unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding. After some research I realised that it’s a Java serialised object without any signature handled by the application [which] means that you can send serialised object of any existing class to a server and ‘readObject’ or ‘readResolve’ method of that class will be called.
Stepankin was rewarded $5000 for his findings. Interestingly enough, Stepankin’s bug report was more of a duplicate of another report sent to PayPal two days earlier by Mark Litchfield. Considering that fact, it’s weird that PayPal paid him. Bug bounty programs typically disregard duplicate reports.