PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts

Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.

PaypalResearchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.

The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.

“The security hole existed in the unique number field of the email confirmation module …. The affected parameter was “login_confirm_number_id“ bearing the name “login_confirm_number,“ according to the site. “The validation of the confirm number input field is watching all the context since the first valid number matches. The attacker uses a valid number and includes the statement after it to let both pass through the PayPal application filter.

“The result is the successful execution of the SQL command when the module is processing to reload the page module. Exploitation of the vulnerability requires a low privileged application user account to access the website area and can be processed without user interaction.“

The researchers also provided proof of concept that details the discovery.

PayPal made news earlier this week with a nebulous announcement it planned to introduce “drastic changes” in how it handles suspected fraud.

The company has been heavily criticized for a current policy and aggressive fraud filters that routinely lock out legitimate businesses and charities when there’s a surge in donations or orders. The average freeze is three weeks, but the terms of service allow PayPal to take up to 180 days to resolve a case.

“These are not minor — these are aggressive changes,” Anuj Nayar, PayPal’s senior director of communications, told CNN Money, adding that better communications would a cornerstone of the new policy. “This is a fundamental shift in our business operations.”

Currently, if an account is frozen, the account holders must provide paperwork, such as bank statements and tax records, before the company will release the funds. This can severely impact both businesses and charities who need access to cash before the company has completed its investigation. Grassroots fundraisers, such as those to help someone with treatments or unexpected medical expenses, in particular may have trouble producing the documentation in time-sensitive situations.

“At a minimum, the fact that someone needs to mail in something to an online payments company is a problem,” Nayar said. “2013 is going to be the year that we fix a lot of those pain points.”

Suggested articles

Discussion

  • Anonymouse on

    too little, too late. Paypal lost my business years ago.

  • khrystle-raine on

    If you really read PayPal's complete 'agreement form' you would NEVER make use of their services. I refer to the part specifically letting you know that the funds in your account will be 'pooled' and only portions will be released. (I've paraphased, obviously, but the sentiment is the same.) Any wonder they take 180-days to resolve issues? They obviously use the money in their OWN portfolios, generating income to THEIR company. The funds aren't available as they have them locked up in some stock or other... (Okay, so this is my idea of what they do with it, but reading the agreement... yup, that's what I get out of it...) *khrys...

  • Hegert Julian on

    I like the changes of paypal and also the patched blind sql vulnerability in the core service.
    Paypal needs to be more offensive to disallow washing of money and international fraud.

    The money gets holded since the government confirms what the customer needs to explain when a big amount of money arrives. They do not need to generate money out of other peoples money in this way. I think paypal will be soon much more secure because of an obviously and clean change of the structure when processing the payments. I am customer of paypal and i will stay at paypal. I also need to say i am a bit impressed about how the german guy can every bypass every filter. I am shocked when reading the issue but feeling secure when reading it is patched.

  • Ball hpkl on

    |

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.