PayPal patches vulnerability that could have let an attacker hijack anyone’s account (updated)

Update: The security has been plugged. PayPal paid out rewards via its Bug Bounty Program.

“Through the PayPal Bug Bounty Program, one of our security researchers recently made us aware of a way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com,” a PayPal spokesperson told VentureBeat. “This type of protection helps customers avoid attacks by criminals where they could make changes to your account. Our team worked quickly to address this vulnerability, and we have already fixed the issue. There is no evidence that any customer was impacted. We are grateful to the security community for their contributions to the Bug Bounty Program, and helping us keep our customers’ information secure.”

The original story follows below.

—

Security researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account in a targeted attack.

The “targeted attack” part here is important: even if Ali’s findings work exactly as he describes, an attacker would still require some initial information, most critically the email address used for a given PayPal login, as well as a way to lure the victim into clicking on a malicious link. With those two key pieces, anyone could potentially take full control over a PayPal account.

An attacker could perform the following on your PayPal account, according to Ali:

• Add/Remove/Confirm email address
• Add fully privileged users to a business account
• Change security questions
• Change billing/shipping address
• Change payment methods
• Change user settings (including notifications and other mobile settings)

Ali has created a proof-of-concept video that shows his exploit to demonstrate the attack on a test Python server:

https://www.youtube.com/watch?v=KoFFayw58ZQ

The vulnerability is of the Cross-Site Request Forgery (CSRF) type. The security hole is in the “Auth” token responsible for authenticating every single request made by the user. Although it is changed with every request made by the user, Ali found it is reusable for that specific user email address or username, meaning an attacker could use it to make actions on behalf of any logged-in user.

For context, CSRF is a malicious exploit type whereby unauthorized commands are transmitted from a user that a given website already trusts. If an attacker manages to convince the victim to click on a specially crafted exploit link, a request can be made to the vulnerable website on their behalf.

An attacker could provide an email address and any password to capture a PayPal request for sending money, for example, and that request will contain a valid “Auth” token. Since this token is reusable, the attacker can authorize the request.

Next, Ali found a loophole that lets an attacker obtain an “Auth” token that is valid for all users. This can be done by intercepting the POST request from a page that provides an “Auth” token before the logging-in process: paypal.com/eg/cgi-bin/webscr?cmd=_send-money.

This means an attacker can make almost any request on behalf of the targeted user. An attacker cannot, however, change the victim’s password without answering the security questions set by the user, since users themselves cannot change security questions without entering their password first.

The request for setting up security questions in the first place, which is initiated by the user when signing up for PayPal, is allegedly not password-protected. As such, Ali says this process can be reused to reset the security questions without providing the password. An attacker could thus change the victim’s security questions. At that point, anything goes.

We have contacted PayPal about this alleged vulnerability. We will update this article when we hear back.