PayPal BugBounty Program : How I Hacked PayPal Accounts – Authentication System Bypass Vulnerability

Today I am going to make a public disclosure of a critical vulnerability I have found during my research in PayPal Core Application, This vulnerability allowed me to completely bypass the CSRF Prevention System, which lead to account hijacking and issue privileged actions on target user through a series of flaws.

I   – IDENTIFICATION PHASE
II  – CSRF AUTH SYSTEM BYPASS
III – PROOF OF CONCEPT
IV  – IMPACTS & RISK FACTORS


I  – Discovery Phase :

After analyzing the web application I took a look at the Customer Profile (My Selling Tools) Settings module (classic view), after intercepting some requests I’ve identified a reflected XSS issue via customerprofile settings. The finding resides in the request made after clicking on the expand/collapse option on the page.
[+]Selling online
[+]Getting paid and managing my risk
[+]Shipping my items

SellingTools

While testing I intercepted this request which is sent with these parameters :

  • “group” parameter : represent the option ( shippingItems, paymentAndRisk, sellingItems)
  • “state” parameter : represent the state (0 ==> Collapsed , 1 ==> Expanded )

TODO

Proof of Concept Demonstration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.