Yasser Ali, um pesquisador independente, relatou que um bug crítico no sistema de prevenção de falsificação de solicitações entre sites tornou todas as contas do PayPal vulneráveis a seqüestros. O problema é que o PayPal possui tokens de autenticação reutilizáveis. They can be used by cyber criminals to link their emails to the hijacked PayPal user account and gain full control over it.
tokens de autenticação
O pesquisador, who has discovered the bug was also able to capture an authentication token valid for the PayPal accounts. He found out that the token accounting for the authentication process of any user request was not modified for an email address. This allows the attacker to perform different modifications in case he gets authenticated.
By intercepting an authentication token that is valid for all users, the researcher was also able to bypass the CSRF Protection Authorization System of PayPal. For this test, he used the Burp toolkit in order to get the POST request from a page that includes a token prior the log-in process.
The researcher provided an example with a page used for sending money to another PayPal user. Along with the emails of both the sender and the recipient, the researcher entered a fake password. This way a token for the request for that particular account war created.
Later in his research process, Ali tried to find new ways to change the targeted account’s password without being logged in. This is usually impossible if the right answer to the security question is not provided. In order to reach this stage, the attacker would need to log in.
Mas, the user is asked to set a security question when he signs up for the PayPal service, which is not protected by a password. And by being in possession of the CSRF authentication token, the attacker can change the question and provide another answer.
- remoção, adding and confirming an email address
- Modifying the billing address
- Changing the security question
- Changing the account configuration
- Changing the payment methods
The researcher has disclosed the information in a discrete manner through the Bug Bounty program. No momento, all the flaws are fixed.