A flaw, which would allow anyone with the right knowledge hijack any of PayPal’s 150 million customer accounts just with a single click, has been found by cyber-security researcher Yasser Al. Egyptian security researcher has been awarded a generous US$ 10,000 in a bug bounty.
Ali has explained, in a video demo of the bug and a blog post, that this critical vulnerability allowed attacker to hijack any PayPal account, input contact details of their own, and also modify the shipping, billing address as well as payment methods.
Ali, who received PayPal’s maximum bug bounty award of US$ 10,000, said that the flaw was fixed by PayPal instantly.
This makes it a second bug this year which was discovered by Ali. Back in May a gap was exposed by Ali in security of eBay, a global auction website. There is probably no need to mention that PayPal is owned by eBay. This gap would allow an attacker to hack any of 150 million (plus) users accounts on eBay.
“Hacker News” have received from Ali a report of the bug, which technical details were kept in secret until September to give enough time to the security team of eBay so that they can patch it.
From Ali’s blog in which the latest PayPal issue is described it’s clear that Ali have discovered several (three to be exact) security vulnerabilities that allowed takeover of the user’s account, if combined.
Ali figured out a way how to go around PayPal’s security system CSRF (Cross-Site Request Forgery). This security system is designed so that it authenticates all user requests whenever one tries to log on to the website of PayPal.
As explained by Ali, an attacker, thanks to this flaw, could capture CSRF Auth security token and after that they are basically able to validate nearly any request they would want to make on user’s behalf.
He discovered that this CSRF Auth token could be re-used which means that any logged-on PayPal user could be impersonated, not just a single one.
Finally Ali found that an attacker is able to change any security questions of PayPal user without needing user’s password. Thus, having the access to the CSRF Auth validation, attackers could get the access details and after that any account they liked could be ‘simply’ hijacked.
A spokesperson for PayPal have confirmed that one of PayPal’s security researchers, through the Bug Bounty Programme, made it aware of the issue within PayPal’s CSRF protection authorization system. He also noted that security team has fixed the issue already. However, whether any user account had been compromised, PayPal spokesperson could not confirm.
Bloor Research’s senior security analyst, Fran Howarth, commenting on research by Ali said that it highlighted the problem of both vulnerabilities of cross-site request forgery, and also of PayPal’s security weaknesses.
She spoke about CSRF being consistently one of the top ten flaws influencing web applications. She also noted that it’s crucial that every deliverer of web application needs to be aware of it and test it in and out, especially when that web application is a payment system.
Howarth added that this is definitely not the last time that researchers find such severe bugs in the system of PayPal. Instead of just hotfixing the faults that they come by, PayPal should consider a more secure regime of application development and testing.
Meantime Scott MacKenzie, a cyber-expert and also CISO at UK security solutions, said Ali’s research shows how valuable bug bounty programmes are. Three vulnerabilities were identified by Yasser Ali in the PayPal system – an Auth token bypass, a CSRF and a flaw that would let security questions to be reset. It is praiseworthy that PayPal patched these vulnerabilities rapidly and also paid Yasser the bounty that was well earned under the PayPal’s bug bounty programme’s terms.
He also said that organizations adopting such bug bounty programmes are taking very positive steps and that is due a fact that more people looking into your code for possible vulnerabilities makes your resultant systems that much more secure.
Bug bounty programmes are nearly the best way to not just reward security researchers but also secure the systems for any organization connected to the internet, since their security is being tested constantly.
Even biggest online web application developers and companies cannot protect themselves from vulnerabilities which mean, that its users also cannot be protected at all times. An action then can be taken by the consumers to protect their private data and sensitive information. Simplest way doing so is the use of VPN services. We suggest NordVPN as they offer extra high data encryption and advanced security measures such as no logs policy, Tor over VPN and double VPN service.