A vulnerability that
would have enabled a hacker to completely bypass the authentication
system in PayPal has been patched, resulting in a $10,000 bounty for the
white-hat that found it. Worth every penny, too: the flaw put 150 million PayPal customers
in danger of having their accounts hijacked with a low-effort, simple gambit.
The flaw was publicly disclosed by Egyptian researcher Yasser
Ali, after he saw that the cross-site request forgery (CSRF) Prevention
System implemented by PayPal had a critical flaw. The CSRF token for
authorization of users is changed with every request made by a user as a
security precaution. But, Ali found that the ‘CSRF Auth’ token is
reusable for a specific user email address or username, meaning that a
hacker could intercept and take possession of the tokens, and then
simply reuse them to access the account of the correlated, logged in
user.
Ali detailed how the vulnerability could be exploited, in a blog.
The essential problem lies with the fact that CSRF Auth verifies every
single request of that user. So, if an attacker is not logged in and
tries to make a 'send money' request then PayPal will ask the attacker
to provide his email and password. When he plugs in an email and any
type of password, valid or not, he can then capture the request, which
will contain a valid CSRF Auth token, which is reusable and can
authorize this specific user requests.
From there, the next hurdle is to get past the security
questions, since an attacker cannot change the victim’s password without
answering them. This boiled down to the fact that the initial process
of setting security questions in the first place is not
password-protected and is reusable, so it can simply be initiated to
reset the security questions, without providing the password at all.
Taken in total, an attacker can conduct a targeted CSRF attack
against a PayPal user and take a full control over his or her account.
This involves requests including: Add/remove/confirm email address; add
fully privileged users to business account; change security questions;
change billing/shipping address; change payment methods; change user
settings (notifications/mobile settings).
Given the level of havoc that the exploited flaw could wreak,
it’s no wonder that “the vulnerability is patched very fast and PayPal
paid me the maximum bounty they give ;),” Ali said.
PayPal itself offered some feedback to Infosecurity: “One of
our security researchers recently made us aware of a potential way to
bypass PayPal's Cross-Site Request Forgery (CSRF) Protection
Authorization System when logging onto PayPal.com.
Through the PayPal Bug Bounty program, the researcher reported this to
us first and our team worked quickly to fix this potential vulnerability
before any of our customers were affected by this issue. We
proactively work with security researchers to learn about and stay ahead
of potential threats because the security of our customers’ accounts is
our top concern."
Obviously, PayPal users should update their applications immediately.
Culled from:
Information Security Magazine
Wow, Excellent post. This article is really very interesting and effective. I think its must be helpful for us. Thanks for sharing your informative.
ReplyDeletesocial exchange sites
earn money online
social bookmarking sites list
directory submission site list
article submission sites
blog commenting sites
forum posting sites
press release sites list
outsourcing
off page seo
seo tutorial
free seo tools
freelancing
freelancing sites
seo