December 8, 2014 By Shane Schick 2 min read

Updated 12.9.14

Ideally, mobile payment technologies should allow customers to complete a transaction in a single click, but a recently discovered PayPal vulnerability would have made it just as easy for cybercriminals to steal financial data.

The details of the PayPal vulnerability were first discovered by Yasser Ali, an independent Egypt-based researcher who reported it to the company as part of its Bug Bounty program in exchange for a $10,000 financial reward. Ali’s detailed blog post showed how cybercriminals could use the mobile payment giant’s Cross-Site Request Forgery (CSRF) token system, which logs in and authenticates users. If cybercriminals could use social-engineering techniques to convince a victim to click on a link, they could have reset passwords, changed payment methods and generally done whatever they wanted with an account.

Although an estimated 150 million accounts around the world could have theoretically been open to attack, the PayPal vulnerability has already been addressed, the company told The Register. Those who use the service should probably not be worried about their money or financial data, PayPal added, since cybercriminals have not demonstrated they were aware of Ali’s discovery before the fix was made.

In a statement to SecurityIntelligence.com, PayPal said, “One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first, and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.”

Online-only systems are often vulnerable in some way or another, but security researchers tend to focus only on techniques such as cross-site scripting or SQL injections, Sophos said on its Naked Security blog. CSRF is by no means innovative, but it isn’t hard to detect with free tools from the Open Web Application Security Project. Those who stay signed in to such services may be putting themselves at risk and overlooking a basic security precaution, Sophos said.

Implications of PayPal Vulnerability

Security is a particularly big issue for PayPal right now. As would-be competitors such as Apple Pay begin to make their way to consumers, the company has been trying to tout itself as a more trusted partner for facilitating mobile payments.

This recent PayPal vulnerability is certainly not the first time security researchers have been concerned, too. As part of the same Bug Bounty program, Vulnerability Labs revealed ways that cybercriminals could inject code into the company’s shipping service, as well as a remote code execution flaw that ITProPortal said took 18 months to patch.

Meanwhile, merchants who use PayPal were alerted last month that they could be in danger of the Poodle exploit that was affecting sites using Secure Socket Layer (SSL) v3. As a story on EcommerceBytes explained, the company has since decided to end support for that version of SSL, but it has worked to reduce the risk that secure connections were compromised in the meantime.

Although its Bug Bounty program could be considered a success, even PayPal must occasionally wonder whether cybercriminals will find it even more lucrative to beat security researchers to the punch when it comes to discovering the next flaw.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today