Researchers at cybersecurity firm Cybernews released a report detailing the finding of six vulnerabilities in the electronic payment system PayPal that, if exploited, would allow threat actors to carry out various attacks, from multi-factor authentication bypass, to malicious code sending, among others.
Below we found a brief explanation of each of
the vulnerabilities found during this research. As already mentioned, its
exploitation mainly affects the end users of the system.
authentication bypassing (2FA)
Cybersecurity specialists discovered that it is possible to bypass two-factor authentication (2FA) using the current version of the PayPal app for Android; this security measure is activated when the user tries to log into the platform from a new device, location, or IP address. To do this, the researchers used a MiTM proxy and, after a series of steps, obtained a token to log into the account.
The flaw has not been corrected, so it is not
possible to reveal more technical details of the attack. In addition, this
process is little complex and takes a few minutes to complete, so users are
exposed to serious danger.
One Time PIN-less
Researchers also discovered a way to confirm a new phone number on PayPal without the one-time PIN (OTP), a system to check if a phone number is associated with the account holder. Otherwise, the number is rejected.
When a user registers a new phone, a call is
made to api-m.paypal.com, which sends the status of the phone confirmation.
Specialists demonstrated that it is possible to change this call very easily,
so PayPal will confirm the registration of the new number incorrectly.
Omission of secure sending of money
To prevent fraud and other unlawful conduct,
PayPal implemented, among other measures, a mechanism that is activated if one
or more of the following conditions are detected:
new device is detected
attempts to send payments from a different location or IP address
in users’ regular transfer and payment pattern are detected
account is newly created
If these conditions are met, PayPal throws some
error messages to users such as:
will need to link a new payment method to send the money”
payment was denied, try again later”
During the investigation it was discovered that
this send blocking mechanism is vulnerable to brute force attacks, so an
attacker with access to PayPal credentials can access the compromised accounts.
Full name change
A default feature in PayPal states that users can only change one or two characters of their name at a time; after doing so, this option disappears. Cybersecurity specialists created a test account to demonstrate the presence of a flaw that allows full name modification at any time.
XSS Vulnerability in
SmartChat is a self-help chat on PayPal that allows users to access the most frequent questions and answers. Cybersecurity specialists found that this implementation lacks validation that verifies the text that users enter. Using a Man-in-The-Middle (MiTM) attack, the researchers were able to capture traffic directed at PayPal’s servers and add a malicious payload to them.
XSS vulnerability in
This is a similar flaw to the above and exists because PayPal does not debug its Security Questions entry. The fault is exploitable using the same method described in the previous paragraph. Below is a screenshot that includes the test code injected into the target account, resulting in a clickable link:
A threat actor can inject scripts into other
people’s accounts to extract sensitive data.
According to the International Institute of
Cyber Security (IICS), reported flaws have not been corrected, so millions of
PayPal users remain exposed to their exploitation. Like many other technology
firms, PayPal has a vulnerability bounty program, operated through the
HackerOne platform. Although this is one of the best-known disclosure
platforms, cybersecurity specialists believe that HackerOne’s current reporting
model somewhat hinders the work of ethical hackers and even encourages illicit
practices such as the sale of exploits on the hacking black market.