PayPal has plugged a security hole that could have easily been used to hijack third-party application authentication tokens, giving attackers access to accounts connected to the apps.
The flaw was discovered by Adobe senior software engineer Antonio Sanso while testing his own OAuth client.
The vulnerability stems from PayPal accepting localhost - the name used to resolve the IPv4 address 127.0.0.1 and IPv6 address ::1 to users' local systems - as a valid for the redir_uri parameter in the authentication flow, Sanso said.
By adding a specific domain name system entry for his website (localhost.intothesymmetry.com), Sanso was able to trick PayPal's validation systems into revealing OAuth authentication tokens he would normally not have been entitled to see.
The vulnerability worked for any PayPal OAuth client, Sanso said.
Sanso reported the flaw to PayPal on September 9 this year, and received a response 18 days later that indicated PayPal did not consider the issue a vulnerability, the researcher said.
The software developer persisted with the report and in early November PayPal said it had fixed the issue and awarded a bug bounty to Sanso for finding the flaw.