Persistent Input Validation Zero Day Patched by PayPal

PayPal patched a zero-day vulnerability this week in its core content management system. Researchers at Vulnerability Laboratory in Germany reported the flaw in June and withheld disclosure of the details until this week when PayPal released a fix.Benjamin Kunz Mejri, a frequent PayPal bug hunter, said his team discovered a persistent input validation vulnerability in the address book module’s search function that would allow an attacker to remotely inject malicious script on the application side.

Paypal patchPayPal patched a zero-day vulnerability this week in its core content management system. Researchers at Vulnerability Laboratory in Germany reported the flaw in June and withheld disclosure of the details until this week when PayPal released a fix.

Benjamin Kunz Mejri, a frequent PayPal bug hunter, said his team discovered a persistent input validation vulnerability in the address book module’s search function that would allow an attacker to remotely inject malicious script on the application side.

“The code will be executed out of the search result listing web context,” Mejri said. “Remote exploitation requires low user interaction and a privileged PayPal banking application user account.”

Exploits could lead to session and account hijacking, Mejri said, as well as persistent access to the search field.

 Mejri’s proof-of-concept attack requires access to a user account where a contact entry containing the malicious code injection is saved in the address book. When the victim uses the search function in the address book and clicks search, the exploit is activated. The attacker will have persistent access to the code, Mejri explained.

This isn’t the first time Vulnerability-Lab cashed in with PayPal’s Bug Bounty Program. Mejri was credited with finding three remote access flaws in late November, including a cross-site scripting vulnerability in the PayPal Community Forum add-tags feature.

That bug allowed an attacker to execute script on the client, as well as hijack browser cookies.

He also discovered an input validation flaw in PayPal’s Plaza shopping application, specifically in the egreetings Web service. An attacker exploiting the vulnerability would be able to inject malicious code into some of the greetings’ fields.

Mejri also found a previous bug in the content management system that could redirect users to a external site hosted by the attacker.

The PayPal Bug Bounty program is less than six months old. The security team at PayPal accepts only cross-site scripting, cross-site request forgery, SQL injection and authentication bypass flaws for the program, and researchers must give PayPal reasonable time to fix the security issues in question before collecting a bounty and disclosing any details.

Suggested articles

PayPal 2FA Bypass Shows Difficulty of Getting Authentication Right

Oftentimes, looking at a given security vulnerability or mistake by a vendor, it’s easy to wonder how on earth the bug got through in the first place or the company didn’t catch the problem earlier. That definitely could have been the case with the recently disclosed bypass of PayPal’s two-factor authentication mechanism, but, as is […]

PayPal Fixes Trio of Remote-Access Vulnerabilities

PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

Discussion

  • SvenYA on

    I really like this guy. Benjamin obviously changes a lot and he is hacking the most important services in the world. I use paypal daily and i know the search function of the adibook.

    I am glad to hear paypal has addressed the vulnerability silent and fast. Another very nice side effect of bens disclosure is => Earlier in 2009-2010-2011 the news ever reported about paypal in a negative way, looks like the perspective changed which is much more productive for both parties.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.