Critical vulnerabilities discovered in Ebay owned money transfer service Paypal, that allows an attacker to take control over the Paypal account with only one click affecting 156 million Paypal users.
Yasser H. Ali – Egyptian security researcher, has discovered three critical flaws in PayPal official website which includes CSRF, Authorization token bypass and Resetting the user’s account security question.
Researcher demonstrated the vulnerability step-by-step in the Proof-of-Concept (PoC) video using a single exploit that includes all the three vulnerabilities.
According to the video, using Paypal CSRF exploit an attacker can secretly associate a new email ID (attacker’s email) to the victim’s Paypal account, and also reset the answers of the security questions.
Mr. Yasser successfully bypassed the security Auth tokens to generate exploit code for attacks. Auth token is used by Paypal to detect the authorized request from the account owner.
Yasser told “I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, Yasser can then make actions in the behave of any logged in user.”
Once the process is executed, the exploit will add attacker’s email id to victim’s Paypal account, which could be used to reset the account password.
Paypal security team has patched the security flaw following the Yasser’s report via Bug Bounty Program. Three Month ago, researcher found similar vulnerability in eBay website that allowed hackers to hijack any eBay account in just 1 minute.
Proof of Concept Video :
Cross-Site Request Forgery (CSRF or XSRF) is a method of attacking a website in which an attacker need to convince the victim to click on a specially crafted HTML exploit page that will make a request to the vulnerable website on their behalf.