December 8, 2014 By Shane Schick 2 min read

Updated 12.9.14

Ideally, mobile payment technologies should allow customers to complete a transaction in a single click, but a recently discovered PayPal vulnerability would have made it just as easy for cybercriminals to steal financial data.

The details of the PayPal vulnerability were first discovered by Yasser Ali, an independent Egypt-based researcher who reported it to the company as part of its Bug Bounty program in exchange for a $10,000 financial reward. Ali’s detailed blog post showed how cybercriminals could use the mobile payment giant’s Cross-Site Request Forgery (CSRF) token system, which logs in and authenticates users. If cybercriminals could use social-engineering techniques to convince a victim to click on a link, they could have reset passwords, changed payment methods and generally done whatever they wanted with an account.

Although an estimated 150 million accounts around the world could have theoretically been open to attack, the PayPal vulnerability has already been addressed, the company told The Register. Those who use the service should probably not be worried about their money or financial data, PayPal added, since cybercriminals have not demonstrated they were aware of Ali’s discovery before the fix was made.

In a statement to SecurityIntelligence.com, PayPal said, “One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first, and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.”

Online-only systems are often vulnerable in some way or another, but security researchers tend to focus only on techniques such as cross-site scripting or SQL injections, Sophos said on its Naked Security blog. CSRF is by no means innovative, but it isn’t hard to detect with free tools from the Open Web Application Security Project. Those who stay signed in to such services may be putting themselves at risk and overlooking a basic security precaution, Sophos said.

Implications of PayPal Vulnerability

Security is a particularly big issue for PayPal right now. As would-be competitors such as Apple Pay begin to make their way to consumers, the company has been trying to tout itself as a more trusted partner for facilitating mobile payments.

This recent PayPal vulnerability is certainly not the first time security researchers have been concerned, too. As part of the same Bug Bounty program, Vulnerability Labs revealed ways that cybercriminals could inject code into the company’s shipping service, as well as a remote code execution flaw that ITProPortal said took 18 months to patch.

Meanwhile, merchants who use PayPal were alerted last month that they could be in danger of the Poodle exploit that was affecting sites using Secure Socket Layer (SSL) v3. As a story on EcommerceBytes explained, the company has since decided to end support for that version of SSL, but it has worked to reduce the risk that secure connections were compromised in the meantime.

Although its Bug Bounty program could be considered a success, even PayPal must occasionally wonder whether cybercriminals will find it even more lucrative to beat security researchers to the punch when it comes to discovering the next flaw.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today