PayPal rejects report that exposed critical account takeover vulnerabilities

In a shocking decision, PayPal has rejected vulnerabilities reported by researchers as part of the payment giant’s bug bounty program.
PayPal's bug bounty handling of vulnerability reports

In a shocking decision, PayPal has rejected vulnerabilities reported by researchers as part of the payment giant’s bug bounty program.

Every tech company out there that takes its cybersecurity seriously has a bug bounty program to remain updated. PayPal is one of these though it uses a third party system named HackerOne to handle the entire process. However, this doesn’t appear to be going smoothly.

A few days ago, CyberNews has revealed its report alleging that “PayPal punished us” for finding out 6 critical vulnerabilities.

The vulnerabilities include the following:

1. Their team was able to bypass Authflow – PayPal’s version of 2FA – which is usually prompted by the payment provider to verify the user’s identity if they try to access their account from a previously unrecognized location. They did so by using PayPal’s mobile app along with a Man in the Middle (MITM) proxy which granted them access to an “elevated token” that could be used to gain access.

PayPal rejects bounty report that exposed account takeover vulnerabilities
Image credit: CyberNews

Since one could find PayPal credentials on the dark web for as little as $1.50, the ease of such an attack is greatly increased. In response to this revelation, HackerOne – the platform – replied with the notion that as the compromise of user accounts is a pre-requisite for this type of attack, “there does not appear to be any security implications as a direct result of this behavior.”

The punishment here was the issue being classified as “Not Applicable” resulting in a loss of 5 reputation points for CyberNews.

2. The researchers were able to dodge Paypal’s one-time-pin (OTP) security check which is used to verify if the phone number indeed belongs to whoever claims to be the account holder. To delve a bit deeper, upon the user’s registration of a phone number, a call is made to api-m.paypal.com for sending a confirmatory message. However, it is possible to change this call address which will make them register the new number without any check.

PayPal rejects bounty report that exposed account takeover vulnerabilities
Image credit: CyberNews

The repercussions of this are obvious. Users can register multiple accounts using their same number leading to an increase in misuse as abandoning one’s previous account will become a whole lot easier.

See: New ransomware steals PayPal data with phishing link in ransom note

PayPal’s response to this one was even more humiliating. To draw an analogy, think about the time you were seen-zoned (WhatsApp, Messenger, anywhere), I bet it didn’t feel good. Similarly, here too after an initial surge of interest, PayPal just locked the report and walked away.

PayPal rejects bounty report that exposed account takeover vulnerabilities
Image credit: CyberNews

Ouch.

3. As discussed in vulnerability #1, there are times when PayPal brings in its security checks like 2FA to verify the user’s identity. These include but are not limited to the “account access from new location” as discussed above, usage of a new device, a change in payment patterns or just that an account is very new. Hence, the user may be required to go through measures such as using a newly added payment method, or if you’re out of luck, a straight-up, “Your payment was denied, please try again later.”

Yet again, this was exploitable through a simple brute force attack leaving high chances of misuse. But but but, who cares? Our favorite payment provider once more so conveniently put this in the “out-of-scope” category due to the “user account compromised” pre-requisite discussed above.

See: Microsoft, PayPal & Facebook most targeted brands in phishing scams

4. For users who may have mistakenly spelled their name wrong while creating an account, PayPal has a basic check-in place that allows users to “only change 1-2 letters of their name once” and then the option disappears. Despite this, it was found out that by capturing the requests made and hence repeating the process with 1-2 letters at a time, a whole name change was possible with the following example below as proof by CyberNews’ team.

PayPal rejects bounty report that exposed account takeover vulnerabilities
Image credit: CyberNews

Moreover, any Unicode symbol could also be added to the name. The problem from this entire ordeal is that let’s say a hacker accesses my account. They could then change my name and claim the account as their own. If I sent any documents to PayPal to prove my ownership, they wouldn’t be able to do anything since the name on the documents does not match the account’s new name, unfortunately.

Fortunately, though, the researchers weren’t treated with the same contempt shown in the previous vulnerabilities. The flaw was deemed to be a duplicate by PayPal but for a legitimate reason that another researcher had already reported this same flaw (why hasn’t it been already fixed then?)

5. We all love fast online support. After all, waiting for an email from a customer support agent isn’t really what we’d prefer. To tackle this, PayPal has a feature named SmartChat which works as a ” self-help chat” feature.

PayPal rejects bounty report that exposed account takeover vulnerabilities
Image credit: CyberNews

The flaw discovered in this was that the text box used to accept messages did not have essential validation checks which enabled the researchers to “use a man in the middle (MITM) proxy to capture the traffic that was going to Paypal servers and attach a malicious payload.”

See: PayPal users hit with “Payment Successfully Made Via Ali Express” Phishing Scam

This could thereby allow an attacker to execute a malicious script which as CyberNews has stated can allow one to “capture customer support agent session cookies and access their account.”

Now, moving forward to PayPal’s response, to draw another colorful analogy, how would you feel if your friend cracked your joke louder and got all the laughs in a classroom? Not so great I reckon. But that’s exactly what just happened here with PayPal telling CyberNews that the flaw was not “exploitable externally” and then went on to fix the issue themselves quietly. On top of that, since the issue was classified as Not Applicable, CyberNews again lost 5 reputation points.

6. In our last vulnerability, a similarity was found with the previous vulnerability(#5) as PayPal’s security questions were again not equipped with essential validation which allowed the researchers to use the MITM proxy method. This allows malicious code to be injected as the example below illustrates:

PayPal rejects bounty report that exposed account takeover vulnerabilities
Image credit: CyberNews

Once done, malicious motives such as phishing and keylogging can be achieved by this method. To this, PayPal again deemed it as a duplicate issue as in vulnerability #4 and was patched on the very same day it was reported.

To conclude, all of these vulnerabilities are very serious even if a couple of them may have been patched. Hence, it is important that PayPal immediately fixes these along with working on addressing its problem of not acknowledging legitimate reporting done by ethical hackers.

Additionally, HackerOne should also learn from this incident to make changes in how it operates internally because eventually, such behavior will make bounty hunters turn away from such companies and platforms if not rectified.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Total
0
Shares
Related Posts