PayPal Vulnerability: How Attackers Were One Click Away From Wreaking Havoc

December 8, 2014 @ 12:54 PM
| |
2 min read

Updated 12.9.14

Ideally, mobile payment technologies should allow customers to complete a transaction in a single click, but a recently discovered PayPal vulnerability would have made it just as easy for cybercriminals to steal financial data.

The details of the PayPal vulnerability were first discovered by Yasser Ali, an independent Egypt-based researcher who reported it to the company as part of its Bug Bounty program in exchange for a $10,000 financial reward. Ali’s detailed blog post showed how cybercriminals could use the mobile payment giant’s Cross-Site Request Forgery (CSRF) token system, which logs in and authenticates users. If cybercriminals could use social-engineering techniques to convince a victim to click on a link, they could have reset passwords, changed payment methods and generally done whatever they wanted with an account.

Although an estimated 150 million accounts around the world could have theoretically been open to attack, the PayPal vulnerability has already been addressed, the company told The Register. Those who use the service should probably not be worried about their money or financial data, PayPal added, since cybercriminals have not demonstrated they were aware of Ali’s discovery before the fix was made.

In a statement to SecurityIntelligence.com, PayPal said, “One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first, and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.”

Online-only systems are often vulnerable in some way or another, but security researchers tend to focus only on techniques such as cross-site scripting or SQL injections, Sophos said on its Naked Security blog. CSRF is by no means innovative, but it isn’t hard to detect with free tools from the Open Web Application Security Project. Those who stay signed in to such services may be putting themselves at risk and overlooking a basic security precaution, Sophos said.

Implications of PayPal Vulnerability

Security is a particularly big issue for PayPal right now. As would-be competitors such as Apple Pay begin to make their way to consumers, the company has been trying to tout itself as a more trusted partner for facilitating mobile payments.

This recent PayPal vulnerability is certainly not the first time security researchers have been concerned, too. As part of the same Bug Bounty program, Vulnerability Labs revealed ways that cybercriminals could inject code into the company’s shipping service, as well as a remote code execution flaw that ITProPortal said took 18 months to patch.

Meanwhile, merchants who use PayPal were alerted last month that they could be in danger of the Poodle exploit that was affecting sites using Secure Socket Layer (SSL) v3. As a story on EcommerceBytes explained, the company has since decided to end support for that version of SSL, but it has worked to reduce the risk that secure connections were compromised in the meantime.

Although its Bug Bounty program could be considered a success, even PayPal must occasionally wonder whether cybercriminals will find it even more lucrative to beat security researchers to the punch when it comes to discovering the next flaw.

Shane Schick
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.