PayPal business site vulnerability could offer access to databases

A critical vulnerability has been found in payment processing giant PayPal's business website, manager.paypal.com. 

The security researcher known as Artsploit, Michael Stepankin, discovered the vulnerability late last year.

He said discovered a post form parameter called ‘oldFormData' that, according to Stepankin, looks “like a complex object after base64 decoding”. 

As it turns out, it was a Java serialised object with no signature. 

Serialisation is a process that lets developers convert data to a static, binary format which one can then use for transmission among other things.

As was revealed in a post by Chris Frohoff and Gabriel Lawrence at Foxglove security, this becomes a problem “when developers write code that accepted serialised data from users and attempt to serialise for use in the program”. 

Such a vulnerability, Frohoff and Lawrence explained, can allow an attacker to carry out remote code execution on the target.

In this case, Stepankin discovered that an intruder could potentially execute arbitrary OS commands on manager.paypal.com servers and upload and execute a backdoor. 

Stepankin spoke to SCMagazineUK.com and explained how this particular exploit could be used on PayPal.

He said a hacker “could gain access to production databases where PayPal business customers data is stored. I didn't even try to do it because it's considered illegal [even] when you perform security testing.”

Paypal got to work “within a couple of days” to fix the vulnerability said Stepankin.

He said they paid him a generous reward as part of the PayPal bug bounty program.

" I have nothing but respect for them," Stepankin wrote. 

This article originally appeared at scmagazineuk.com