Researchers recently discovered a smattering of vulnerabilities in web applications and mobile applications belonging to companies like Yahoo, PayPal, Magento, and Shopify that could have led to account theft, session hijacking, and phishing, among other consequences.
Hadji Samir, Ebrahim Hegazy, Ayoub Ait Elmokhtar, and Benjamin Kunz Mejri, researchers with Vulnerability Lab, found the bugs earlier this year but only recently disclosed them.
The researchers found three separate issues in web apps developed by PayPal, including a severe vulnerability that could have let an attacker bypass a verification check meant to approve the account owner. Mejri discovered that even if two factor authentication was enabled on the app, if a user attempted to login with the wrong credentials and got blocked, they could still get into their account. In a writeup on the vulnerability last week Mejri said that a user could access another user’s account via the mobile API simply by swapping out expired cookies for legitimate ones.
On top of the two factor authentication bypass bug, PayPal also recently patched an open redirect web vulnerability, discovered by Elmokhtar, that could’ve been exploited remotely. It also addressed a stored cross-site scripting vulnerability in its Online Service Web Application back in August, found by Hegazy, that could’ve been exploited to purchase goods or transfer funds.
Another issue the researchers brought up existed in Gemini, Yahoo’s marketplace for mobile and native ads. If exploited the Cross Site Request Forgery (CSRF) bug could have enabled an attacker to inject malicious code to compromise client-side app to browser requests, along with session data.
Lastly the researchers disclosed two different persistent file name vulnerabilities in two e-commerce platforms, one in the eBay-owned Magento, and one in Shopify.
Both vulnerabilities, since fixed, could have let a remote attacker upload their own malicious files to the application-sides of the service modules. If compromised, they could lead to a handful of issues for both apps, including session hijacking, persistent phishing attacks, persistent redirects to external malicious sources, and more.
It’s the seventh bug in Magento that Samir has dug up this year. In June he came across three issues, a CSRF vulnerability, a XSS bug, and a different persistent filename vulnerability in the company’s e-commerce platform.
Ironically the most recent vulnerability Samir found was in the module on Magento’s site in charge of reporting bugs. Instead of reporting a bug, if an attacker wanted to upload a file with a payload script code as a filename via POST, the payload code would execute.