PayPal business site vulnerability could offer access to databases

By

Payments giant implements quick fix.

A critical vulnerability has been found in payment processing giant PayPal's business website, manager.paypal.com. 

PayPal business site vulnerability could offer access to databases

The security researcher known as Artsploit, Michael Stepankin, discovered the vulnerability late last year.

He said discovered a post form parameter called ‘oldFormData' that, according to Stepankin, looks “like a complex object after base64 decoding”. 

As it turns out, it was a Java serialised object with no signature. 

Serialisation is a process that lets developers convert data to a static, binary format which one can then use for transmission among other things.

As was revealed in a post by Chris Frohoff and Gabriel Lawrence at Foxglove security, this becomes a problem “when developers write code that accepted serialised data from users and attempt to serialise for use in the program”. 

Such a vulnerability, Frohoff and Lawrence explained, can allow an attacker to carry out remote code execution on the target.

In this case, Stepankin discovered that an intruder could potentially execute arbitrary OS commands on manager.paypal.com servers and upload and execute a backdoor. 

Stepankin spoke to SCMagazineUK.com and explained how this particular exploit could be used on PayPal.

He said a hacker “could gain access to production databases where PayPal business customers data is stored. I didn't even try to do it because it's considered illegal [even] when you perform security testing.”

Paypal got to work “within a couple of days” to fix the vulnerability said Stepankin.

He said they paid him a generous reward as part of the PayPal bug bounty program.

" I have nothing but respect for them," Stepankin wrote. 

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Log In

  |  Forgot your password?