How to hack PayPal Manager and manage your Payflow account

Pierluigi Paganini May 15, 2014

Mark Litchfield, Security expert at Securatary, has published a proof of concept on the way it is possible to hack PayPal Manager Admin Account.

Mark Litchfield, security expert at Securatary has published an interesting post on PayPal Manager Admin Account Hijack, let’s remember that PayPal Manager is used to manage user’s Payflow account.

The attack method against Paypal manage described by Litchfield is articulated in a series of steps during which it is necessary to overcome various obstacles to hijack the Admins merchant account and their password.

Paypal manager account payflow 1

 

The hack proposed by the expert consisted of the following phases:

  1. Enumeration of account information requiring a valid Partner ID and Vendor ID to request a new password. We needed valid account information. The attacker selects from the available menù the function “Customize and Preview”, he plays to customize the page when request the preview of the layout he captures the GET request Burp. at this point he can make a dictionary attack to retrieve all the valid ID for the platform. In the example he has used a built-in function in BURP, analyzing the response he noted that if they have a length in the range of 1800 – 2010 bytes the attempt is failed, superior lengths mean success.Paypal manager account payflow Success
  2. After entering valid credentials you are then prompted for a security question in-order for an email to be sent containing the password reset link. So we need an attack to bypass the security question. The attacker has now a valid User ID but not the password, he needs to perform a pwd reset, but the obstacle is represented by security question. After filling the reset form, an email containing the link to the reset page is sent to the PayPal user. Litchfield catch the POST request to analyze it, he tried to use it again shortly. He continued to login, he selected Forgot password feature again, but this time using the UID of another merchant account he used for the test (“hackThis“). He noted that it is possible to re-use the same token of first password reset process. So once
    submitted user “hackthis” will now assume ownership of this token. This system returns the security question, but in this case it is possible to enter any arbitrary answer. The security question has been bypassed.
  3. Paypal manager account payflow pwd resetAfter entering the correct information, and email is sent to the registered address containing a link. We needed an attack to be able to get this link / bypass / the email link process. It’s time to change the password, to do this Litchfield copied the cookie value from the Hackthis request he made. He substituted the cookie of a legitimate request with the one used before for password reset.
  4. Once you have successfully changed your password, you are then presented with another security screen asking for yet another security question as (based on a live hack), you are logging in for the first time from a different IP address.  The expert discovered after a few tries that the matching for the correct IP address is limited to a Class
    B Network range – XXX.XXX.0.0. For this reason he has figured out that a brute-force attack could easily bypass this security measure.Paypal manager account payflow IP restriction
  5. Once in, you have access to the administrators PII and their customers. And seeing as my last few attacks allow for free shopping, why stop there. Place an order, then using the virtual terminal go and credit your money back to your account / credit card. Alternatively, you could just manually create your own order and charge yourself a $1.00.

What say more I suggest to read the hack descrption to understand how that attacker has tried to elude security measure step by step. Very intriguing.

Pierluigi Paganini

(Security Affairs –  Paypal manager, hacking)  

UPDATE May 17th 2014

PayPal patched a hole in its Manager portal this week that could have made it easy for an attacker to hijack an admin’s account, change their password and steal their personal information — not to mention their savings.



you might also like

leave a comment