Ionut Cernica, an independent security researcher working with Vulnerability Lab, has identified a critical-severity flaw in PayPal that could have been leveraged by cybercriminals to delete any account and create a new one with the same username. Fortunately, the payment processor has addressed the issue.
The vulnerability in question could have been exploited remotely and it didn’t require any interaction from the victim.
“After testing the web application paypal.com I discovered that if you have a US account and the following page is visited, you can add a new email from that page. The problem is even [though] the e-mail you try to add to your account is already registered with PayPal the new e-mail will be added into your account as unconfirmed,” the researcher noted.
“After you added an existing email to your account, if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too,” he explained in his report.
Once the targeted account was removed, the attacker could have registered a new account with the username of the account that was just deleted. However, the new account would have no balance and it would be unconfirmed.
According to Vulnerability Lab, the issue was first reported to PayPal in late April, and the company claimed to have addressed it in May. However, Cernica said he was still able to exploit it later on.
Experts believe PayPal has properly addressed it sometime this month.
Take a look at the proof-of-concept video below which shows how the vulnerability could have been exploited.
Update. PayPal has reached out to Softpedia with the following statement:
“Despite recent reports of a PayPal vulnerability that allows users to delete any account and replace it with one of their own, we want to confirm that we have never received any valid bugs related to that issue on PayPal.com and did not issue a reward for it.
If a researcher identifies a valid bug on our site, we encourage them to responsibly report it to our Bug Bounty program so we can reward and recognize those researchers that help keep PayPal a safer place for our customers.”
Update2. Cernica has published a blog post to clarify this whole story. He has provided details on his collaboration with both Vulnerability Lab and PayPal.