PayPal plugs phishing-enabling vulnerability, stumps up $500

To the bug-splatter who found it. Not to you, don't get excited

By John Leyden


PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails.

The input validation and mail encoding web vulnerability in the official PayPal online web app was discovered by Vulnerability Laboratory researcher Benjamin Kunz Mejri.

The bug created a mechanism for hackers to inject malicious codes into the mail header of emails sent via PayPal's portal. The "medium" risk threat (CVSS score of 3.9) earned Kunz Mejri a $500 payout under PayPal’s bug bounty program, a spokeswoman for the payments outfit confirmed.

Mejri discovered and reported the flaw back in October but only went public this week with an advisory and video clip (below) after PayPal plugged the vulnerability.

“The vulnerability is in the profile section of the API request,” Kunz Mejri told El Reg. “it is possible to inject a string as that is streamed through the PayPal inc service postbox.”

“So we are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” he added.

Kunz Mejri has an extensive back catalogue of discovering flaws in apps from PayPal and more recently config bugs in a German ATM cash machine, among other finds. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside

Two cuffed on suspicion of US ATM jackpotting plague

Don’t talk to the ATM, young man, it’s just a machine and there’s nobody inside

On-Call But there was a network tech inside, wiring it up. And in the right bank, this time

ATM security devs rush out patch after boffins deliver knockout blow

Updated Researchers had full control and were able to make unauthorised withdrawals

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

USB gizmo biz apologies amid infosec drama

Facebook users pwnd by phone with account recovery vulnerability

Another lonely day, with no one but FB, oh... I'll send an SMS to the world

'Help! I'm stuck in this ATM,' writes poor bloke on a scribbled note

Cops rescue trapped technician

No big deal. You can defeat Kaspersky's ATM antivirus with a really fat executable

After you've gained arbitrary execution on the cash machine, natch

What weighs 800kg and runs Windows XP? How to buy an ATM for fun and profit

BSides Security researchers pick up angle grinder, drop £2k-plus in B-sides chat