Skip to main content

Hacking PayPal Account with a single exploit

  • December 3, 2014
  • 2 replies
  • 1028 views

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
by Pierluigi Paganini on December 3rd, 2014

An Egyptian hacker demonstrated that using a single exploit is possible to take control of any PayPal account due to the presence of a series of flaws .

The Egyptian security researcher, Yasser H. Ali has reported three critical vulnerabilities in PayPal website that could be exploited by an attacker to compromise users’ account. The vulnerabilities include a CSRF and an Authentication token bypass and Resetting the security question flaw.It’s not the first time that Yasser discovers similar bugs the users’ account has found  in the eBay website a series of vulnerabilities that allowed him to hijack any eBay account in just 1 minute.
 
 http://securityaffairs.co/wordpress/wp-content/uploads/2014/12/PayPal-hacking.png
I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user.” Yasser explained to The Hacker News.
 
Full Article

2 replies

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

Yet another tale of incredibly crocked software

By Darren Pauli, 4 Dec 2014 PayPal has plugged a huge hole that exposed every account to hijacking.
The cross-site request forgery (CSRF) flaw reported by Egyptian researcher Yassar H Ali allowed attackers access to any PayPal account of their choosing if they were capable of convincing a target to click a link.
 A PayPal spokesperson confirmed the flaw to Vulture South adding it had no evidence accounts had been compromised.
 
Full Article

  • Community Guide
  • 5988 replies
  • December 4, 2014
The following article is a update

Squashed bug opened EVERY PayPal account to hijacking

By Darren Pauli, 4 Dec 2014
 
PayPal has plugged a huge hole that exposed every account to hijacking.
The cross-site request forgery (CSRF) flaw reported by Egyptian researcher Yassar H Ali allowed attackers access to any PayPal account of their choosing if they were capable of convincing a target to click a link.
 
A PayPal spokesperson confirmed the flaw to Vulture South adding it had no evidence accounts had been compromised.
"Through the PayPal Bug Bounty Program, one of our security researchers recently made us aware of a way to bypass PayPal's Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com," the spokesperson said. "Our team worked quickly to address this vulnerability, and we have already fixed the issue.
 
 
full article

Reply