A vulnerability that would have enabled a hacker to completely bypass the authentication system in PayPal has been patched, resulting in a $10,000 bounty for the white-hat that found it.
Worth every penny, too: the flaw put 150 million PayPal customers in danger of having their accounts hijacked with a low-effort, simple gambit.
The flaw was publicly disclosed by Egyptian researcher Yasser Ali, after he saw that the cross-site request forgery (CSRF) Prevention System implemented by PayPal had a critical flaw. The CSRF token for authorization of users is changed with every request made by a user as a security precaution. But, Ali found that the ‘CSRF Auth’ token is reusable for a specific user email address or username, meaning that a hacker could intercept and take possession of the tokens, and then simply reuse them to access the account of the correlated, logged in user.
Ali detailed how the vulnerability could be exploited, in a blog. The essential problem lies with the fact that CSRF Auth verifies every single request of that user. So, if an attacker is not logged in and tries to make a ‘send money’ request then PayPal will ask the attacker to provide his email and password. When he plugs in an email and any type of password, valid or not, he can then capture the request, which will contain a valid CSRF Auth token, which is reusable and can authorize this specific user requests.