14 DAY TRIAL // A security researcher presenting his findings about a new method for stealing sensitive information from a PayPal account received no reward through the Bug Bounty Program, although security experts at the company fixed the bug the moment they checked the proof-of-concept.
The researcher has discovered that PayPal does not verify the actual contents of a file uploaded through a page such as the one for generating an invoice, and trusts the extension of the item implicitly, despite the fact that the data is served back with false MIME type (media type of the message content) if a different type of file was used by the uploader; the file would be hosted on the paypal.com domain.
PoC page loads sensitive info from PayPal account
After realizing this, the researcher, who goes by the online moniker Multibear, decided to try an attack by uploading a Flash file, given the fact that this format does not take into account the reported MIME type; “if a response begins with a valid Flash file, as far as Flash is concerned, it's a valid Flash file,” the researcher wrote in a blog post.
He also added that combined with the lax policies set in the cross-domain XML file, which manage Adobe Flash Player’s communication with other server than the one it is hosted on, an attacker could upload absolutely any file to absolutely any PayPal subdomain in order to compromise an account.
“To be clear -- with this attack, any user who visits a page under my control can have arbitrary requests made on their account. All money stolen, all details stolen, Mission Accomplished!” the researcher said.
As soon as the glitch was discovered, the researcher announced PayPal, providing them with a proof-of-concept to show that the attack worked.
A few days later, he created another proof-of-concept that consisted in a web page that loaded sensitive information of someone accessing it, already logged into their PayPal account.
According to the researcher, after submitting his report, which contained a link to a monitored proof-of-concept (PoC) page, more than a week passed with no reply from the company representatives.
Evidence of previous reporting of the issue not provided
When the company representatives contacted him, they said that the security vulnerability he found was not eligible for a bounty because another researcher had already reported it.
The reply from PayPal came without anyone taking a look at Multibear’s PoC page, he claims. He also pointed to the fact that the bug had been active for a week.
On the other hand, the researcher says that the night PayPal did access the webpage the bug also received a fix.
The timeline for the vulnerability disclosure is unknown, but reports of the same security flaw having been reported to PayPal and granted a small reward have been posted in reply to the security researcher’s blog post.
But regardless of this aspect, one may wonder why PayPal left the bug unattended for a week before they plugged the hole. Moreover, the researcher says that although he believes that the flaw had been previously reported, he would have wanted some evidence of this fact.
[UPDATE, January 5]: According to a recent post on Reddit, a security researcher has indeed discovered the same bug as Multibear and disclosed it to PayPal, providing a PoC too, but it seems that PayPal took more than 50 days to come up with a fix, despite the fact that the researcher reminded them of the severity of the issue on several occasions during that time.
