14 DAY TRIAL //
Security researcher Antonio Sans, who is also working as a software engineer at Adobe, discovered a critical security issue in PayPal that allows hackers to steal OAuth tokens that are being used in payment apps created by third-party developers.
In a blog posted a couple of days ago, Sanso explains that the issue might exist in some other websites too, as many more are using the secure authentication standard that exposed PayPal tokens, including here Facebook and Google.
Specifically, it all comes down to how PayPal handles the redirect_uri parameter to grant authentication tokens to applications. The payment service makes it possible for developers to register their apps with PayPal through a dedicated dashboard that can generate token requests which are then submitted to a central authorization server.
“While testing my own OAuth client I have noticed something a bit fishy. The easier way to describe it is using an OAuth application from Paypal itself (remember the vulnerability I found is universal aka worked with every client!),” the security expert notes (via PCAuthority).
Localhost is the magic word
What he managed to do was to trick the authentication system to use localhost as a redirect_uri parameter, making it possible to redirect a PayPal validation to a third-party domain like localhost.domainname.com where he could easily access the data.
“So it really looks like that even if PayPal did actually perform exact matching validation, localhost was a magic word and it overrides the validation completely,” he noted, adding that developers should “register a redirect_uri as much as specific as they can.”
And here is the fun part. According to his blog post, Sanso reported the vulnerability to PayPal in September, but the team replied that “this is not a vulnerability.” After pressing them to look into the problem, PayPal analyzed the report and eventually released a fix in November. The researcher also received a bounty for his disclosure.