PayPal hackable in one click according to security researcher
PayPal, currently owned by eBay, is one of the most popular methods for moving money online. Of course, as Microsoft knows from Windows, with popularity comes problems. People are going to poke and prod in an effort to find soft spots. Sometimes the intention is to help fix things, sometimes to exploit the problems.
Security researcher Yasser Ali is on the good side, but he still has released details of a vulnerability that shows how easy it can be to hack PayPal. However, before you get all worked up, the payment service fixed the problem before Ali announced it. It also paid him in gratitude for the information.
The problem arose from CSRF tokens, which authenticate each request made by a customer. Every request generates a different token, but Ali found that previous ones could be reused. That sounds difficult, as the attacker needs that code.
However, according to Ali, "If an attacker 'not logged in' tries to make a 'send money' request then PayPal will ask the attacker to provide his email and password. The attacker will provide the 'Victim Email' and ANY password, Then he will capture the request, The request will contain a Valid CSRF Auth token which is reusable and can authorize this specific user request".
It gets worse -- "After further investigation, I have noticed that the request of setting up the security questions 'which is initiated by the user while signing up' is not password-protected, and it can be reused to reset the security questions up without providing the password. Hence, armed with the CSRF Auth, an attacker can CSRF this process too and change the victim’s Security questions".
While all this sounds menacing, at least it's fixed and PayPal acted quickly. We've seen, in the past, cases where the company ignored findings, leading to the researcher announcing details while things were still vulnerable.
Update: Since this article, PayPal has sent BetaNews an official statement. "One of our security researchers recently made us aware of a potential way to bypass PayPal's Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern"
Photo Credit: Korn/Shutterstock