PayPal fixes app authentication token hijack flaw

By on
PayPal fixes app authentication token hijack flaw

Online payments processor didn't implement OAuth right.

PayPal has plugged a security hole that could have easily been used to hijack third-party application authentication tokens, giving attackers access to accounts connected to the apps.

The flaw was discovered by Adobe senior software engineer Antonio Sanso while testing his own OAuth client.

OAuth is an open standard for secure authentication used by many technology companies including Google and Facebook, which had similar flaws to PayPal that were also discovered by Sanso.

The vulnerability stems from PayPal accepting localhost - the name used to resolve the IPv4 address and IPv6 address ::1 to users' local systems - as a valid for the redir_uri parameter in the authentication flow, Sanso said.

By adding a specific domain name system entry for his website (, Sanso was able to trick PayPal's validation systems into revealing OAuth authentication tokens he would normally not have been entitled to see.

The vulnerability worked for any PayPal OAuth client, Sanso said.

Sanso reported the flaw to PayPal on September 9 this year, and received a response 18 days later that indicated PayPal did not consider the issue a vulnerability, the researcher said.

The software developer persisted with the report and in early November PayPal said it had fixed the issue and awarded a bug bounty to Sanso for finding the flaw.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?