PayPal plugs phishing-enabling vulnerability, stumps up $500

To the bug-splatter who found it. Not to you, don't get excited

By John Leyden


PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails.

The input validation and mail encoding web vulnerability in the official PayPal online web app was discovered by Vulnerability Laboratory researcher Benjamin Kunz Mejri.

The bug created a mechanism for hackers to inject malicious codes into the mail header of emails sent via PayPal's portal. The "medium" risk threat (CVSS score of 3.9) earned Kunz Mejri a $500 payout under PayPal’s bug bounty program, a spokeswoman for the payments outfit confirmed.

Mejri discovered and reported the flaw back in October but only went public this week with an advisory and video clip (below) after PayPal plugged the vulnerability.

“The vulnerability is in the profile section of the API request,” Kunz Mejri told El Reg. “it is possible to inject a string as that is streamed through the PayPal inc service postbox.”

“So we are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” he added.

Kunz Mejri has an extensive back catalogue of discovering flaws in apps from PayPal and more recently config bugs in a German ATM cash machine, among other finds. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside

Two cuffed on suspicion of US ATM jackpotting plague

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

Don’t talk to the ATM, young man, it’s just a machine and there’s nobody inside

On-Call But there was a network tech inside, wiring it up. And in the right bank, this time

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

ATM security devs rush out patch after boffins deliver knockout blow

Updated Researchers had full control and were able to make unauthorised withdrawals

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Facebook sued for exposing content moderators to Facebook

Updated Endless series of beheadings and horrible images take mental toll, US lawsuit claims

Facebook users pwnd by phone with account recovery vulnerability

Another lonely day, with no one but FB, oh... I'll send an SMS to the world

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

USB gizmo biz apologies amid infosec drama