Researchers at cybersecurity firm Cybernews released a report detailing the finding of six vulnerabilities in the electronic payment system PayPal that, if exploited, would allow threat actors to carry out various attacks, from multi-factor authentication bypass, to malicious code sending, among others.
Below we found a brief explanation of each of the vulnerabilities found during this research. As already mentioned, its exploitation mainly affects the end users of the system.
Two-factor authentication bypassing (2FA)
Cybersecurity specialists discovered that it is possible to bypass two-factor authentication (2FA) using the current version of the PayPal app for Android; this security measure is activated when the user tries to log into the platform from a new device, location, or IP address. To do this, the researchers used a MiTM proxy and, after a series of steps, obtained a token to log into the account.
The flaw has not been corrected, so it is not possible to reveal more technical details of the attack. In addition, this process is little complex and takes a few minutes to complete, so users are exposed to serious danger.
One Time PIN-less phone verification
Researchers also discovered a way to confirm a new phone number on PayPal without the one-time PIN (OTP), a system to check if a phone number is associated with the account holder. Otherwise, the number is rejected.
When a user registers a new phone, a call is made to api-m.paypal.com, which sends the status of the phone confirmation. Specialists demonstrated that it is possible to change this call very easily, so PayPal will confirm the registration of the new number incorrectly.
Omission of secure sending of money
To prevent fraud and other unlawful conduct, PayPal implemented, among other measures, a mechanism that is activated if one or more of the following conditions are detected:
- A new device is detected
- Detected attempts to send payments from a different location or IP address
- Changes in users’ regular transfer and payment pattern are detected
- The account is newly created
If these conditions are met, PayPal throws some error messages to users such as:
- “You will need to link a new payment method to send the money”
- “Your payment was denied, try again later”
During the investigation it was discovered that this send blocking mechanism is vulnerable to brute force attacks, so an attacker with access to PayPal credentials can access the compromised accounts.
Full name change
A default feature in PayPal states that users can only change one or two characters of their name at a time; after doing so, this option disappears. Cybersecurity specialists created a test account to demonstrate the presence of a flaw that allows full name modification at any time.
XSS Vulnerability in SmartChat
SmartChat is a self-help chat on PayPal that allows users to access the most frequent questions and answers. Cybersecurity specialists found that this implementation lacks validation that verifies the text that users enter. Using a Man-in-The-Middle (MiTM) attack, the researchers were able to capture traffic directed at PayPal’s servers and add a malicious payload to them.
XSS vulnerability in security questions
This is a similar flaw to the above and exists because PayPal does not debug its Security Questions entry. The fault is exploitable using the same method described in the previous paragraph. Below is a screenshot that includes the test code injected into the target account, resulting in a clickable link:
A threat actor can inject scripts into other people’s accounts to extract sensitive data.
According to the International Institute of Cyber Security (IICS), reported flaws have not been corrected, so millions of PayPal users remain exposed to their exploitation. Like many other technology firms, PayPal has a vulnerability bounty program, operated through the HackerOne platform. Although this is one of the best-known disclosure platforms, cybersecurity specialists believe that HackerOne’s current reporting model somewhat hinders the work of ethical hackers and even encourages illicit practices such as the sale of exploits on the hacking black market.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.