PayPal has addressed a persistent input validation vulnerability that could have been leveraged by cybercriminals to remotely inject their own malicious code and even hijack user sessions. The security hole was identified back in June by Vulnerability Lab researchers.
According to the experts, the flaw affected the “Adressbook” core module. More precisely, it was located in the “search_str – Result” parameter of the “Adressbuch > Search > Benutzer/ Kontakt” module.
The affected section was the “Results - Index (Listing).”
“The persistent input validation vulnerability is located in the Adressbuch core module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context,” the researchers wrote in the advisory they published.
“Remote exploitation requires low user interaction and a privileged paypal banking application user account. Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.”
The vulnerability was addressed by PayPal around the date of December 10. The company awarded the researchers with $1,000 (800 EUR) for their findings.
Users who are interested in the technical side of this vulnerability can check out the details of the vulnerable module and the proof-of-concept provided by Vulnerability Lab.