Through the PayPal Bug Bounty Program, a security researcher recently revealed a way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com.
This type of protection helps customers avoid attacks by criminals where they could make changes to your account.
The team worked quickly to address this vulnerability, and have already fixed it. There is no evidence that any customer was impacted.
The Security researcher Yasser Ali publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account in a targeted attack.
The “targeted attack” part here is important: even if Ali’s findings work exactly as he describes, an attacker would still require some initial information, most critically the email address used for a given PayPal login, as well as a way to lure the victim into clicking on a malicious link.
With those two key pieces, anyone could potentially take full control over a PayPal account.
An attacker could perform the following on your PayPal account, according to Ali:
- Add/Remove/Confirm email address
- Add fully privileged users to a business account
- Change security questions
- Change billing/shipping address
- Change payment methods
- Change user settings (including notifications and other mobile settings)
Ali has created a proof-of-concept video that shows his exploit to demonstrate the attack on a test Python server.
Via Venture Beat