Three critical vulnerabilities have been discovered in PayPal that could lead a hacker to bypass the security and take control of any PayPal account. Considered as the top payments and money transfer services, PayPal is used by hundreds of millions of users making this vulnerability quite critical.
PayPal hack possible with a single click:
These vulnerabilities were posted by an Egyptian security researcher, Yasser H. Ali. Posted on his website, he has shared the details of these loopholes of CSRF token reusability, possibility to bypass Auth token, and ability to reset the security questions.
- The CSRF token “that authenticate every single request made by the user” which can be also found in the request body of every request with the parameter name “Auth” get changed with every request made by user for security measures, but after a deep investigation I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user.
- The request will contain a Valid CSRF Auth token Which is Reusable and Can authorise this specific user requests. Upon Further Investigation, We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users, by intercepting the POST request from a page that provide an Auth Token before the Logging-in process ... At this point the attacker Can CSRF “almost” any request on behave of this user.
And finally, Ali found that an attacker can reset the security questions of any account without having the need to know the password. Here is how the targeted PayPal hack would work combining these three vulnerabilities, as Ali has demonstrated in the proof-of-concept video:
- Hacker first associates a new secondary email ID to the target's account using CSRF exploit.
- Hacker would be able to bypass Auth token security that PayPal uses to detect legitimate requests.
- Once having associated a new email ID, hacker would use the Forgot Password feature to reset password.
- Which will in turn require hacker to answer security questions. However, as demonstrated, using CSRF exploit attacker would reset the security questions answers and take control of the account.
PayPal has fixed the vulnerabilities after being shared by Ali.
[Update]: PayPal spokesperson reached to Wccftech making it clear that none of the customers were affected by this issue:
“One of our security researchers recently made us aware of a potential way to bypass PayPal's Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern."
- Details: Yasser H. Ali