PayPal plugs phishing-enabling vulnerability, stumps up $500
To the bug-splatter who found it. Not to you, don't get excited
PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails.
The input validation and mail encoding web vulnerability in the official PayPal online web app was discovered by Vulnerability Laboratory researcher Benjamin Kunz Mejri.
The bug created a mechanism for hackers to inject malicious codes into the mail header of emails sent via PayPal's portal. The "medium" risk threat (CVSS score of 3.9) earned Kunz Mejri a $500 payout under PayPal’s bug bounty program, a spokeswoman for the payments outfit confirmed.
Mejri discovered and reported the flaw back in October but only went public this week with an advisory and video clip (below) after PayPal plugged the vulnerability.
“The vulnerability is in the profile section of the PayPal.com API request,” Kunz Mejri told El Reg. “it is possible to inject a string as that is streamed through the PayPal inc service postbox.”
“So we are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” he added.
Kunz Mejri has an extensive back catalogue of discovering flaws in apps from PayPal and more recently config bugs in a German ATM cash machine, among other finds. ®