The blog of Xeno, a slightly mad scientist
A vulnerability that would have enabled a hacker to completely bypass the authentication system in PayPal has been patched, resulting in a $10,000 bounty for the white-hat that found it.
Worth every penny, too: the flaw put 150 million PayPal customers in danger of having their account hijacked with a low-effort, simple gambit.
The flaw was publicly disclosed by Egyptian researcher Yasser Ali, after he saw that the cross-site request forgery (CSRF) Prevention System implemented by PayPal had a critical flaw. The CSRF token for authorization of users is changed with every request made by a user as a security precaution. But, Ali found that the ‘CSRF Auth’ token is reusable for a specific user email address or username, meaning that a hacker could intercept and take possession of the tokens, and then simply reuse them to access the account of the correlated, logged in user.
Ali detailed how the vulnerability could be exploited, in a blog. The essential problem lies with the fact that CSRF Auth verifies every single request of that user. So, if an attacker is not logged in and tries to make a ‘send money’ request then PayPal will ask the attacker to provide his email and password. When he plugs in an email and any type of password, valid or not, he can then capture the request, which will contain a valid CSRF Auth token, which is reusable and can authorize this specific user requests.
From there, the next hurdle is to get past the security questions, since an attacker cannot change the victim’s password without answering them. This boiled down to the fact that the initial process of setting security questions in the first place is not password-protected and is reusable, so it can simply be initiated to reset the security questions, without providing the password at all.
Taken in total, an attacker can conduct a targeted CSRF attack against a PayPal user and take a full control over his or her account. This involves requests including: Add/remove/confirm email address; add fully privileged users to business account; change security questions; change billing/shipping address; change payment methods; change user settings (notifications/mobile settings).
Given the level of havoc that the exploited flaw could wreak, it’s no wonder that “the vulnerability is patched very fast and PayPal paid me the maximum bounty they give😉,” Ali said.