CYBER NEWS

PayPal Vulnerability Allows Account Hijacking

Yasser Ali, an independent researcher, reported that a critical bug in the prevention system for cross-site request forgery made all PayPal account vulnerable to hijacking. The problem is that PayPal has re-usable authentication tokens. They can be used by cyber criminals to link their emails to the hijacked PayPal user account and gain full control over it.

Authentication Tokens

The researcher, who has discovered the bug was also able to capture an authentication token valid for the PayPal accounts. He found out that the token accounting for the authentication process of any user request was not modified for an email address. This allows the attacker to perform different modifications in case he gets authenticated.

By intercepting an authentication token that is valid for all users, the researcher was also able to bypass the CSRF Protection Authorization System of PayPal. For this test, he used the Burp toolkit in order to get the POST request from a page that includes a token prior the log-in process.

The researcher provided an example with a page used for sending money to another PayPal user. Along with the emails of both the sender and the recipient, the researcher entered a fake password. This way a token for the request for that particular account war created.

The Password

Later in his research process, Ali tried to find new ways to change the targeted account’s password without being logged in. This is usually impossible if the right answer to the security question is not provided. In order to reach this stage, the attacker would need to log in.

But, the user is asked to set a security question when he signs up for the PayPal service, which is not protected by a password. And by being in possession of the CSRF authentication token, the attacker can change the question and provide another answer.

The token validates the following requests:Magnifying glass showing word BUG in software code

  • Removing, adding and confirming an email address
  • Modifying the billing address
  • Changing the security question
  • Changing the account configuration
  • Changing the payment methods

The researcher has disclosed the information in a discrete manner through the Bug Bounty program. At the moment, all the flaws are fixed.

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...