December 8, 2014 By Shane Schick 2 min read

Updated 12.9.14

Ideally, mobile payment technologies should allow customers to complete a transaction in a single click, but a recently discovered PayPal vulnerability would have made it just as easy for cybercriminals to steal financial data.

The details of the PayPal vulnerability were first discovered by Yasser Ali, an independent Egypt-based researcher who reported it to the company as part of its Bug Bounty program in exchange for a $10,000 financial reward. Ali’s detailed blog post showed how cybercriminals could use the mobile payment giant’s Cross-Site Request Forgery (CSRF) token system, which logs in and authenticates users. If cybercriminals could use social-engineering techniques to convince a victim to click on a link, they could have reset passwords, changed payment methods and generally done whatever they wanted with an account.

Although an estimated 150 million accounts around the world could have theoretically been open to attack, the PayPal vulnerability has already been addressed, the company told The Register. Those who use the service should probably not be worried about their money or financial data, PayPal added, since cybercriminals have not demonstrated they were aware of Ali’s discovery before the fix was made.

In a statement to SecurityIntelligence.com, PayPal said, “One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first, and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.”

Online-only systems are often vulnerable in some way or another, but security researchers tend to focus only on techniques such as cross-site scripting or SQL injections, Sophos said on its Naked Security blog. CSRF is by no means innovative, but it isn’t hard to detect with free tools from the Open Web Application Security Project. Those who stay signed in to such services may be putting themselves at risk and overlooking a basic security precaution, Sophos said.

Implications of PayPal Vulnerability

Security is a particularly big issue for PayPal right now. As would-be competitors such as Apple Pay begin to make their way to consumers, the company has been trying to tout itself as a more trusted partner for facilitating mobile payments.

This recent PayPal vulnerability is certainly not the first time security researchers have been concerned, too. As part of the same Bug Bounty program, Vulnerability Labs revealed ways that cybercriminals could inject code into the company’s shipping service, as well as a remote code execution flaw that ITProPortal said took 18 months to patch.

Meanwhile, merchants who use PayPal were alerted last month that they could be in danger of the Poodle exploit that was affecting sites using Secure Socket Layer (SSL) v3. As a story on EcommerceBytes explained, the company has since decided to end support for that version of SSL, but it has worked to reduce the risk that secure connections were compromised in the meantime.

Although its Bug Bounty program could be considered a success, even PayPal must occasionally wonder whether cybercriminals will find it even more lucrative to beat security researchers to the punch when it comes to discovering the next flaw.

More from

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today