PayPal patched a zero-day vulnerability this week in its core content management system. Researchers at Vulnerability Laboratory in Germany reported the flaw in June and withheld disclosure of the details until this week when PayPal released a fix.
Benjamin Kunz Mejri, a frequent PayPal bug hunter, said his team discovered a persistent input validation vulnerability in the address book module’s search function that would allow an attacker to remotely inject malicious script on the application side.
“The code will be executed out of the search result listing web context,” Mejri said. “Remote exploitation requires low user interaction and a privileged PayPal banking application user account.”
Exploits could lead to session and account hijacking, Mejri said, as well as persistent access to the search field.
Mejri’s proof-of-concept attack requires access to a user account where a contact entry containing the malicious code injection is saved in the address book. When the victim uses the search function in the address book and clicks search, the exploit is activated. The attacker will have persistent access to the code, Mejri explained.
This isn’t the first time Vulnerability-Lab cashed in with PayPal’s Bug Bounty Program. Mejri was credited with finding three remote access flaws in late November, including a cross-site scripting vulnerability in the PayPal Community Forum add-tags feature.
That bug allowed an attacker to execute script on the client, as well as hijack browser cookies.
He also discovered an input validation flaw in PayPal’s Plaza shopping application, specifically in the egreetings Web service. An attacker exploiting the vulnerability would be able to inject malicious code into some of the greetings’ fields.
Mejri also found a previous bug in the content management system that could redirect users to a external site hosted by the attacker.
The PayPal Bug Bounty program is less than six months old. The security team at PayPal accepts only cross-site scripting, cross-site request forgery, SQL injection and authentication bypass flaws for the program, and researchers must give PayPal reasonable time to fix the security issues in question before collecting a bounty and disclosing any details.