PayPal Exploit Allowed Hackers to Deliver Malicious Images Using Payment Pages

Rafia Shaikh
Posted Jun 24, 2016
144Shares
Share Tweet Submit

A recently discovered security vulnerability in PayPal could have allowed hackers to insert malicious images into payment pages. PayPal has now fixed the exploit.

Not everything hosted on legit sites is malware-free, PayPal exploit confirms

Security researcher Aditya K Sood discovered that hackers could play with the value of a parameter in the URL of the PayPal payment pages. Criminal hackers could replace this parameter value with a URL pointing to an image hosted on a remote server, serving malware. In the past, we have reported on several exploits that hackers use to hide malware in images. PayPal’s vulnerability could have allowed hackers to use a vendor’s payment page to deliver these malicious images. Since the image and the links are placed in the payment pages of PayPal, with the URL hosted on paypal.com, there was an increased probablity that the victims would fall for this trap, unwittingly opening the malicious links.

Sood said that this is an “insecure design as PayPal allows remote users to inject images owned by them into the PayPal components used for transactions by the customers.” “That being said, the question is – can you deliver malware or an exploit through images? The answer is yes. Exploit techniques such as Stegosploit can be used to achieve that,” Sood told SecurityWeek. He demonstrated the flaw by displaying an arbitrary image – which could of course be also used to deliver a piece of malware – on a vendor’s payment page.

Security researcher reported this vulnerability to PayPal in January, however, the company has only now patched this exploit. At first, it told Sood that the attack scenario was unlikely to happen since there are easier ways to deliver malware. PayPal also said that it actively scans for malicious content hosted on the site, but Sood insists that this is a high risk vulnerability. The payment processor then decided to patch the flaw and awarded Sood $1,000 in bug bounty.

Share Tweet Submit