PayPal patches account hijacking flaw

Payments giant PayPal has patched a flaw that allowed hackers access into any customer account through a targeted attack.

As part of PayPal's bug bounty program, Egyptian researcher Yassar H Ali discovered a cross-site request forgery (CSRF) flaw that allowed attackers to take over control of any PayPal account if they were successful in convincing a target to click on a link.

The "single-click" flaw allowed attackers to bypass PayPal's CSRF protection authorisation system when logging into an account. 

Attackers need the email address associated with a PayPal login as well as an avenue to send a malicious link to the account owner in order to conduct the attack.

Ali said he discovered that the CSRF authentication was reusable for a specific user name or email address, meaning attackers who were able to access the CSRF token for an account could imitate a user.

"[Attackers] can obtain the CSRF [token] by intercepting the POST request from a page that provides an auth token before the logging-in process," he wrote.

Once in, an attacker could change user information including payment methods, billing/shipping addresses, user settings and security questions; as well as edit or change email addresses and add fully privileged users to a business account.

Ali was given US$10,000 (A$11,910) for his discovery by Paypal under the bug bounty program.

“Our team worked quickly to address this vulnerability, and we have already fixed the issue," a PayPal spokesperson said.

"There is no evidence that any customer was impacted. We are grateful to the security community for their contributions to the Bug Bounty Program, and helping us keep our customers’ information secure.”