PayPal Patches Critical Security Vulnerabilities

Outsmart Malicious Hackers


PayPal in the news again for a series of fairly high-profile vulnerabilities discovered by the same guy that found the XSS bugs in Google Calendar and Twitter (Nir Goldshlager).

I’m glad people are looking at PayPal as I’m sure the volume of monetary transactions that pass through their site on a daily basis is huge. It’s still the leading payment processing solution, especially for International transactions.

Seems to be more on the business side rather than effecting users, but exposing so much customer is never a good thing.

A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal’s business and premier reports back-end system.

The vulnerabilities were patched recently by PayPal after security researcher Nir Goldshlager of Avnet Technologies brought the vulnerabilities to the site’s attention. The most critical bug was a permission flow problem in business.paypal.com, and could have potentially exposed a massive amount of customer data.

“An attacker was able to access and watch any other user’s financial, orders and report information with unauthorized access to the report backend application,” Goldshlager explained. “When users have a premier account or business account the transaction details of their orders are saved in the reports application … an attacker can look at any finance reports of premier or business accounts in the PayPal reports application and get a full month [and] day summary of the orders reports.”

That includes information such as the PayPal buyer’s full shipping address, the PayPal transaction ID of the buyer and the date and amount of transaction.

It’s good to see responsible disclosure by the researcher and swift action on behalf of PayPal fixing the flaws. It seems pretty rare these days with the walls of bullshit companies push our via their PR/comms channels try to create enough smoke and mirrors to distract everyone from the real issues.

Hijacking a users account on PayPal is a pretty serious issue as the attacker could simply transfer all the persons funds to their own account, if they weren’t very active they wouldn’t even notice. Even more dangerous if their account is linked to a Credit or Debit card.

The other vulnerabilities Goldshlager found included an XSS (cross-site scripting) vulnerability affecting the paypal.com and business.paypal.com sites that an attacker could use to steal session IDs and hijack user accounts, as well as a CSRF (cross-site request forgery) bug that exposed user account information. The CSRF vulnerability impacts the IPN (Instant Payment Notification) system, a PayPal service that sends a message once a transaction has taken place.

Once IPN is integrated, sellers can automate their back offices so they don’t have to wait for payments to come in to fulfill orders, Goldshlager explained.

“This CSRF exploit method exposes the same information from the buyer as the first vulnerability … to exploit a CSRF attack that adds a Instant Payment Notification access, the attacker will make an attack that adds his own Website address to the victim account IPN settings, and when there is transaction on PayPal the victim’s transaction details will be sent to the attacker’s Website,” he said.

The IPN issue is dangerous too as you could develop some software to place bogus orders on ecommerce sites then generate a fake IPN back to the site to get the goods for free without any actual payment taking place.

Some other minor CSRF flaws were also discovered, but according to Paypal ‘nearly all‘ have been fixed.

Source: eWeek (Thanks to Nir Goldshlager himself for e-mailing me the article)

Learn about Exploits/Vulnerabilities



Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

, , , , , , ,

Latest Posts:


AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.
Time Warner Hacked - AWS Config Exposes 4M Subscribers Time Warner Hacked – AWS Config Exposes 4M Subscribers
What's the latest on the web, Time Warner Hacked is what it's about now as a bad AWS S3 config (once again) exposes the details of approximately 4M subs.


2 Responses to PayPal Patches Critical Security Vulnerabilities

  1. Shyaam April 23, 2010 at 8:34 am #

    Nice Finding…

  2. wow oh wow April 30, 2010 at 5:43 am #

    doods, this is amazing! thanks for the post.