PayPal plugs phishing-enabling vulnerability, stumps up $500

To the bug-splatter who found it. Not to you, don't get excited

By John Leyden


PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails.

The input validation and mail encoding web vulnerability in the official PayPal online web app was discovered by Vulnerability Laboratory researcher Benjamin Kunz Mejri.

The bug created a mechanism for hackers to inject malicious codes into the mail header of emails sent via PayPal's portal. The "medium" risk threat (CVSS score of 3.9) earned Kunz Mejri a $500 payout under PayPal’s bug bounty program, a spokeswoman for the payments outfit confirmed.

Mejri discovered and reported the flaw back in October but only went public this week with an advisory and video clip (below) after PayPal plugged the vulnerability.

“The vulnerability is in the profile section of the API request,” Kunz Mejri told El Reg. “it is possible to inject a string as that is streamed through the PayPal inc service postbox.”

“So we are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” he added.

Kunz Mejri has an extensive back catalogue of discovering flaws in apps from PayPal and more recently config bugs in a German ATM cash machine, among other finds. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

A little phishing knowledge may be a dangerous thing

Boffins find those who know about phishing more likely to be duped than the less informed

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

USB gizmo biz apologies amid infosec drama

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

Gmail is secure. Netflix is secure. Together they're a phishing threat

Google doesn't recognise dots in email addresses, which creates an opportunity for evil

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors