Yasser Ali, an independent researcher, reported that a critical bug in the prevention system for cross-site request forgery made all PayPal account vulnerable to hijacking. The problem is that PayPal has re-usable authentication tokens. They can be used by cyber criminals to link their emails to the hijacked PayPal user account and gain full control over it.
The researcher, who has discovered the bug was also able to capture an authentication token valid for the PayPal accounts. He found out that the token accounting for the authentication process of any user request was not modified for an email address. This allows the attacker to perform different modifications in case he gets authenticated.
By intercepting an authentication token that is valid for all users, the researcher was also able to bypass the CSRF Protection Authorization System of PayPal. For this test, he used the Burp toolkit in order to get the POST request from a page that includes a token prior the log-in process.
The researcher provided an example with a page used for sending money to another PayPal user. Along with the emails of both the sender and the recipient, the researcher entered a fake password. This way a token for the request for that particular account war created.
Later in his research process, Ali tried to find new ways to change the targeted account’s password without being logged in. This is usually impossible if the right answer to the security question is not provided. In order to reach this stage, the attacker would need to log in.
But, the user is asked to set a security question when he signs up for the PayPal service, which is not protected by a password. And by being in possession of the CSRF authentication token, the attacker can change the question and provide another answer.
- Removing, adding and confirming an email address
- Modifying the billing address
- Changing the security question
- Changing the account configuration
- Changing the payment methods
The researcher has disclosed the information in a discrete manner through the Bug Bounty program. At the moment, all the flaws are fixed.