The Egyptian security researcher, Yasser H. Ali has reported three critical vulnerabilities in PayPal website that could be exploited by an attacker to compromise users’ account. The vulnerabilities include a CSRF and an Authentication token bypass and Resetting the security question flaw.It’s not the first time that Yasser discovers similar bugs the users’ account has found in the eBay website a series of vulnerabilities that allowed him to hijack any eBay account in just 1 minute.
The PayPal website is affected by a CSRF (Cross-site request forgery) vulnerability that allows an attacker to hijack users’ accounts, the vulnerability potentially puts millions of PayPal users’ account at risk.CSRF allows an end user to execute unwanted actions on a web application once he is authenticated, following a typical attack scheme, the attacker sends a link via email or through a social media platform, or share a specially crafted HTML exploit page to trick the victim into executing actions of the attacker’s choosing.
Yasser H. Ali has provided a Proof-of-Concept (PoC) video to explain how to exploit the flaw using a single exploit that benefits of the three vulnerabilities. As reported by the colleague at THEHACKERNEWS, Yasser exploited the CSRF exploit to associate a new secondary email ID to the targeted PayPal account and reset the answers of the security questions from the victim’s account.
To avoid detection of the bogus request, send by an attacker impersonating the legitimate account holder PayPal implements an Authentication mechanism based on tokens, but Mr. Yasser successfully bypassed it to generate exploit code for targeted attacks.
“I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user.” Yasser explained to The Hacker News.
By executing the exploit, Yasser H. Ali will add an attacker’s email id to the victim’s account, the new email could be used to reset the account password through the “Forgot Password” procedure implemented by PayPal.At this point the attacker has the hand in the victim account, but to oust definitively the legitimate account holder he needs to change the victim’s password. To do it, the attacker has to answer the security questions configured by the user while signing up and this is a supplementary obstacle to the account hack.
However, Yasser has discovered another bug in PayPal that allows the attacker to reset the security questions and the answers chosen by the account holder. Exploiting this last flaw, Yasser bypassed the PayPal security feature to reset the new password for the victim’s account.Yasser reported the flaw to PayPal that has already patched it, the flaw was accepted via Bug Bounty Program.