Security researcher Yasser Ali has publicly disclosed what appear to be three new vulnerabilities in PayPal’s website. When used together, Ali claims they can be used to hijack anyone’s account in a targeted attack.
The “targeted attack” part here is important: even if Ali’s findings work exactly as he describes, an attacker would still require some initial information, most critically the email address used for a given PayPal login, as well as a way to lure the victim into clicking on a malicious link. With those two key pieces, anyone could potentially take full control over a PayPal account.
An attacker could perform the following on your PayPal account, according to Ali:
- Add/Remove/Confirm email address
- Add fully privileged users to a business account
- Change security questions
- Change billing/shipping address
- Change payment methods
- Change user settings (including notifications and other mobile settings)
Ali has created a proof-of-concept video that shows his exploit tying all three vulnerabilities together to demonstrate the attack on a test Python server:
The first vulnerability, of the Cross-Site Request Forgery (CSRF) type, is a security hole in the “Auth” token responsible for authenticating every single request made by the user. Although it is changed with every request made by the user, Ali found it is reusable for that specific user email address or username, meaning an attacker could use it to make actions on behalf of any logged-in user.
For context, CSRF is a malicious exploit type whereby unauthorized commands are transmitted from a user that a given website already trusts. If an attacker manages to convince the victim to click on a specially crafted exploit link, a request can be made to the vulnerable website on their behalf.
An attacker could provide an email address and any password to capture a PayPal request for sending money, for example, and that request will contain a valid “Auth” token. Since this token is reusable, the attacker can authorize the request.
The second vulnerability is described as a loophole that lets an attacker obtain an “Auth” token that is valid for all users. This can be done by intercepting the POST request from a page that provides an “Auth” token before the logging-in process: paypal.com/eg/cgi-bin/webscr?cmd=_send-money.
This means the first two vulnerabilities could allow an attacker to make “almost” any request on behalf of the targeted user. An attacker cannot, however, change the victim password without answering the security questions set by the user, since users themselves cannot change security questions without entering their password first.
That’s where the third vulnerability comes in. The request for setting up security questions in the first place, which is initiated by the user when signing up for PayPal, is allegedly not password-protected.
As such, Ali says this process can be reused to reset the security questions without providing the password. Armed with the first two vulnerabilities, an attacker can thus change the victim’s security questions. At that point, anything goes.
We have contacted PayPal about these alleged vulnerabilities. We will update this article when we hear back.