Persistent Input Validation Zero Day Patched by PayPal

Author: Michael Mimoso
minute read

PayPal patched a zero-day vulnerability this week in its core content management system. Researchers at Vulnerability Laboratory in Germany reported the flaw in June and withheld disclosure of the details until this week when PayPal released a fix.Benjamin Kunz Mejri, a frequent PayPal bug hunter, said his team discovered a persistent input validation vulnerability in the address book module’s search function that would allow an attacker to remotely inject malicious script on the application side.

Paypal patchPayPal patched a zero-day vulnerability this week in its core content management system. Researchers at Vulnerability Laboratory in Germany reported the flaw in June and withheld disclosure of the details until this week when PayPal released a fix.

Benjamin Kunz Mejri, a frequent PayPal bug hunter, said his team discovered a persistent input validation vulnerability in the address book module’s search function that would allow an attacker to remotely inject malicious script on the application side.

“The code will be executed out of the search result listing web context,” Mejri said. “Remote exploitation requires low user interaction and a privileged PayPal banking application user account.”

Exploits could lead to session and account hijacking, Mejri said, as well as persistent access to the search field.

 Mejri’s proof-of-concept attack requires access to a user account where a contact entry containing the malicious code injection is saved in the address book. When the victim uses the search function in the address book and clicks search, the exploit is activated. The attacker will have persistent access to the code, Mejri explained.

This isn’t the first time Vulnerability-Lab cashed in with PayPal’s Bug Bounty Program. Mejri was credited with finding three remote access flaws in late November, including a cross-site scripting vulnerability in the PayPal Community Forum add-tags feature.

That bug allowed an attacker to execute script on the client, as well as hijack browser cookies.

He also discovered an input validation flaw in PayPal’s Plaza shopping application, specifically in the egreetings Web service. An attacker exploiting the vulnerability would be able to inject malicious code into some of the greetings’ fields.

Mejri also found a previous bug in the content management system that could redirect users to a external site hosted by the attacker.

The PayPal Bug Bounty program is less than six months old. The security team at PayPal accepts only cross-site scripting, cross-site request forgery, SQL injection and authentication bypass flaws for the program, and researchers must give PayPal reasonable time to fix the security issues in question before collecting a bounty and disclosing any details.

Suggested articles

PayPal 2FA Bypass Shows Difficulty of Getting Authentication Right

Oftentimes, looking at a given security vulnerability or mistake by a vendor, it’s easy to wonder how on earth the bug got through in the first place or the company didn’t catch the problem earlier. That definitely could have been the case with the recently disclosed bypass of PayPal’s two-factor authentication mechanism, but, as is […]

PayPal Fixes Trio of Remote-Access Vulnerabilities

PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

5
Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.