Paypal Fixes Three Remote Access Vulnerabilities Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

PayPal is a globally known e-commerce business that allows payments and money transfers through the Internet. It substitutes the traditional paper methods for transferring money such as cheques or money orders with online transfer of money [1]. Recently, PayPal discovered in its website three remote-access vulnerabilities and the flaws found were submitted to the PayPal's Bug Bounty Program. The vulnerabilities were reported by researcher Benjamin Kunz Mejri of Vulnerability-Lab and the report was sent in September 2012. Patches for the flaws were released in late October [2].

One of the flaws discovered was a client side Web vulnerability and a stable error present in the Official PayPal Community Forum Portal. The vulnerability was precisely located in the add-tags function and the bound replace module of the community forum page [1]. An XSS bug can be used to execute script on the client side and also perform browser cookie hijacking. Sometimes, client side requests can also lead to session hijacking and phishing attacks [2].

Figure 1

As a result of the bug, the attackers could easily replace a malicious code or a link to an attacker's website in place of the standard string value. This was possible by replacing the standard value sting using the > " < ../ and then linking it to an existing uniform resource locator (url). The attackers were able to insert the script code as a name of a folder and then inject more script code eventually causing a system crash with an unhandled exception [1]. This is possible when the client-side the exception handling is bypassed using another validation vulnerability. The vulnerability was considered to be a medium severity threat and a patch for the same was released on October 29, 2012. The client side input validation vulnerability and the stable error were patched by parsing the rc parameter request [1]. The add-tag function was restricted using a character mask. A filter or an exception-handling function was suggested as an alternative. Thus, the vulnerability was taken care of as it did not allow any further permanent errors or script code attacks on the client side [1].

The second vulnerability was in the form of input validation vulnerability. It was discovered on the e-greetings web service application in the official PayPal Plaza website which is a shopping application of PayPal [2]. According to Merji, an attacker needs to be logged in the PayPal application to send a malicious greeting mail using the outgoing PayPal mail server. The severity of the attack was categorized as medium [3]. The bug can enable the attacker to insert malicious script code on the application side of the e-greetings web service. The vulnerability was found present in the Step 5 of the e-greeting module notification. The vulnerability required very little user interaction and no privileged accounts. The attacker could successfully achieve session hijacking and steal customer accounts and other details using continuous web attacks or via mail notification context manipulation [3]. The patch released by Vulnerability-Lab was successfully applied and the vulnerability was removed allowing normal regular functioning of the PayPal Plaza application.

The redirection web vulnerability was the third bug found in the PayPal website running the e-commerce website application. It was found to be a client side redirection vulnerability located in the context management system [4]. The bugs enable formation of client side requests by remote attackers and using it to redirect a victim to an external malicious target. The actual location of the vulnerability was found to be in the export module with the bound vulnerable back-to-portal and the portal url_paramenter. The vulnerability did not require any privileged user accounts and can be undertaken with medium or high user-inter action. A successfully implementation of this exploitation can cause external redirections, client side spam and phishing mails [4]. By redirecting a victim to an external site through the original PayPal domain, the user credentials such as account details can be compromised and thus an account can be stolen [2].

The PayPal Bug Bounty Program allows security researchers to privately disclose bugs to them and in return offers them bounties for the work [5]. The three vulnerabilities discussed above were discovered through the Bug Bounty Program by Vulnerability- Lab researcher Benjamin Kunz Mejri and his team [2]. The payment methods and amount are undisclosed and based upon the decision of the security team who evaluate the flaws reported to them. Similar programs have already been implemented Google, Facebook, Mozilla, Samsung and other leading companies [5]. Such an implementation has been termed as an effective way to find potential issues in Internet-based services and thus reduces the dispute problems between user and companies, website downtime due to such attacks and other problems caused by malicious attackers [5].