Paypal Fixes Three Remote Access Vulnerabilities Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

PayPal is a globally known e-commerce business that allows payments and money transfers through the Internet. It substitutes the traditional paper methods for transferring money such as cheques or money orders with online transfer of money [1]. Recently, PayPal discovered in its website three remote-access vulnerabilities and the flaws found were submitted to the PayPal's Bug Bounty Program. The vulnerabilities were reported by researcher Benjamin Kunz Mejri of Vulnerability-Lab and the report was sent in September 2012. Patches for the flaws were released in late October [2].

One of the flaws discovered was a client side Web vulnerability and a stable error present in the Official PayPal Community Forum Portal. The vulnerability was precisely located in the add-tags function and the bound replace module of the community forum page [1]. An XSS bug can be used to execute script on the client side and also perform browser cookie hijacking. Sometimes, client side requests can also lead to session hijacking and phishing attacks [2].

Figure 1

As a result of the bug, the attackers could easily replace a malicious code or a link to an attacker's website in place of the standard string value. This was possible by replacing the standard value sting using the > " < ../ and then linking it to an existing uniform resource locator (url). The attackers were able to insert the script code as a name of a folder and then inject more script code eventually causing a system crash with an unhandled exception [1]. This is possible when the client-side the exception handling is bypassed using another validation vulnerability. The vulnerability was considered to be a medium severity threat and a patch for the same was released on October 29, 2012. The client side input validation vulnerability and the stable error were patched by parsing the rc parameter request [1]. The add-tag function was restricted using a character mask. A filter or an exception-handling function was suggested as an alternative. Thus, the vulnerability was taken care of as it did not allow any further permanent errors or script code attacks on the client side [1].

The second vulnerability was in the form of input validation vulnerability. It was discovered on the e-greetings web service application in the official PayPal Plaza website which is a shopping application of PayPal [2]. According to Merji, an attacker needs to be logged in the PayPal application to send a malicious greeting mail using the outgoing PayPal mail server. The severity of the attack was categorized as medium [3]. The bug can enable the attacker to insert malicious script code on the application side of the e-greetings web service. The vulnerability was found present in the Step 5 of the e-greeting module notification. The vulnerability required very little user interaction and no privileged accounts. The attacker could successfully achieve session hijacking and steal customer accounts and other details using continuous web attacks or via mail notification context manipulation [3]. The patch released by Vulnerability-Lab was successfully applied and the vulnerability was removed allowing normal regular functioning of the PayPal Plaza application.

The redirection web vulnerability was the third bug found in the PayPal website running the e-commerce website application. It was found to be a client side redirection vulnerability located in the context management system [4]. The bugs enable formation of client side requests by remote attackers and using it to redirect a victim to an external malicious target. The actual location of the vulnerability was found to be in the export module with the bound vulnerable back-to-portal and the portal url_paramenter. The vulnerability did not require any privileged user accounts and can be undertaken with medium or high user-inter action. A successfully implementation of this exploitation can cause external redirections, client side spam and phishing mails [4]. By redirecting a victim to an external site through the original PayPal domain, the user credentials such as account details can be compromised and thus an account can be stolen [2].

The PayPal Bug Bounty Program allows security researchers to privately disclose bugs to them and in return offers them bounties for the work [5]. The three vulnerabilities discussed above were discovered through the Bug Bounty Program by Vulnerability- Lab researcher Benjamin Kunz Mejri and his team [2]. The payment methods and amount are undisclosed and based upon the decision of the security team who evaluate the flaws reported to them. Similar programs have already been implemented Google, Facebook, Mozilla, Samsung and other leading companies [5]. Such an implementation has been termed as an effective way to find potential issues in Internet-based services and thus reduces the dispute problems between user and companies, website downtime due to such attacks and other problems caused by malicious attackers [5].

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.