PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission.
The issue stemmed from a cross-site request forgery (CSRF) vulnerability that existed in PayPal.me, a site the company launched last year to let its users request money; similar to what Venmo, another property it owns, does.
Florian Courtial, a French software engineer who hunts for bugs in his spare time discovered the vulnerability and discussed it on his personal blog earlier this week. Courtial previously disclosed bugs in Slack and the project management app Trello.
Courtial found the bug while rooting around both PayPal.com and PayPal.me for CSRF vulnerabilities. Using Burp Suite, he discovered he could remove or edit the CSRF token and in turn update a user’s PayPal profile picture. The HTML was missing a few headers, like X-Frame-Options: DENY, something that allowed him to submit the form without redirection.
While Courtial was greeted with an error, due to another missing header (X-Requested-With: XMLHttpRequest) he claims he was still able to change the profile image, a hack he demonstrates in proof of concept video:
A user action is required to carry out the attack, Courtial stresses. A victim would have to be tricked into visiting a malicious site that hosts Courtial’s code, which triggers HTML on the page to submit a form and carry out the CSRF attack. Same Origin Policy, the concept that permits scripts contained in one web page to access data in a second web page, on its own isn’t enough to thwart CSRF attacks. In this instance by submitting an application/x-www-form-urlencoded POST request an attacker can deliver a payload.
By exploiting the vulnerability the worst someone could do is change the profile image of another user. But since Paypal.me pages can be used in a professional capacity and serve as a public profile for users, it could have been embarrassing if someone had used the vulnerability, perhaps to change the image to something profane or offensive, on a user.
Courtial reported the bug to PayPal via HackerOne. While it may not have been the most critical bug, his discovery still qualified for a $750 bounty.
Earlier this year PayPal was forced to patch a much nastier bug, a java serialization vulnerability, in its manager.paypal.com site. If exploited that vulnerability could have allowed an attacker to do more than change a user’s photo; it could’ve let them execute shell commands and open a backdoor on PayPal’s servers.