Unconfirmed PayPal 0day auth flaw lingers after XSS gets fixed
Brace of bugs unveiled in payment facilitator's security structure
Two vulnerabilities in popular payments platform PayPal emerged this week.
A cross-site scripting flaw affecting the web payment service was fixed last month, but another flaw is yet to be resolved. The unresolved vulnerability creates a means to bypass the security approval procedure and two-factor authentication applied by the payment service, according to bug finders at Vulnerability Laboratory.
An attacker might be able to bypass the authentication for PayPal accounts or blocked accounts using a session vulnerability in PayPal’s iOS app.
“The attack is not limited to a blocked or restricted PayPal account. The security approval checks the identity of a device user. The 2FA is two factor auth,” Benjamin Kunz Mejri the founder of Vulnerability Laboratory told El Reg.
Vulnerability Laboratory published an advisory on the 0day security bug together with screenshots and a video here. El Reg forwarded the advisory to PayPal, which responded by saying it was looking into the issue. There’s no suggestion that the flaw is under active attack by hackers at this point. In any case, the bug – if verified – would be more undesirable than disastrous. It doesn’t present a direct risk of fraudulent exploitation, at least on its own.
Mejri added: “The issue was reported by using the iPad and iPhone to trick the website into an error exception that allows to bypass both secure procedures (sec approval & 2FA). The video shows how we used a blocked account that was not able to login to the website via mobile browser or desktop browser.”
“After that we used stored session cookies that appeared to be persistent after a PayPal app update. Then we bypassed the sec approval and the connected 2FA request site. At the end I was logged into my account and was able to change values inside my profile,” he added.
A second issue involving a cross-site scripting flaw on PayPal’s website has already been resolved. Left unresolved, the flaw created a means to upload maliciously crafted files, capable of performing attacks on registered users of the service.
There’s no evidence any malfeasance along these lines actually happened and the bug was, in any case, fixed last month, a PayPal representative told El Reg.
PayPal takes the security of our customers’ data, money and account information extremely seriously and worked quickly to resolve an issue related to a Cross-Site Scripting (XSS) flaw and promptly fixed it on July 10, 2015. We have no evidence to suggest that any PayPal accounts were impacted in any way.
Security researchers at BitDefender discovered that the way PayPal processes and encrypts URLs that transport uploaded files was flawed. BitDefender’s proof-of-concept used an HTML-formatted XML file, which is transferred to the "Create an Invoice" section.
By tampering with the URL that pulls upload files from PayPal’s servers, BitDefender was able to force the execution of a malicious payload on PayPal’s server. ®