PayPal fixes application-side security bug

Mar 30, 2016 20:10 GMT  ·  By

Benjamin Kunz Mejri, security researcher at German firm Vulnerability Lab, has helped PayPal discover and patch a bug in one of its service's features that would have permitted attackers to use PayPal's servers to send emails with malicious code.

The researcher's technical write-up is a little complex for people without programming skills, but to understand how this flaw works, here's the attack scenario.

The security bug revolves around a user's ability to share a PayPal account with other people. The attacker only has to create an account, and then add the email addresses of the people he wants to share the account with. By default, PayPal will send these people an email to verify their identity.

Mr. Mejri found out that he could add malicious code to his account's username, which would then be picked up by PayPal's automatic emailing application, and embedded in the emails sent to these persons.

Flaw could be used to carry out phishing attacks via offical PayPal email address

When the email would reach its target, and the victim would open it, the malicious code would be automatically executed in the victim's email client.

A successful attack would allow a hacker to carry out session hijacking and redirection to external sources, but the most dangerous scenario would be when the user would be asked to click a link and enter his PayPal credentials on a phishing site. Since the email comes from PayPal's official email address, most users won't suspect a thing.

"Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction," Mejri explained. For his efforts, the researcher was awarded $1,000 through PayPal's bug bounty program.

Mr. Mejri also provided a video of how he exploited PayPal to send malicious emails.