PayPal plugs phishing-enabling vulnerability, stumps up $500

To the bug-splatter who found it. Not to you, don't get excited

By John Leyden

Posted in Security, 1st April 2016 16:27 GMT

PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails.

The input validation and mail encoding web vulnerability in the official PayPal online web app was discovered by Vulnerability Laboratory researcher Benjamin Kunz Mejri.

The bug created a mechanism for hackers to inject malicious codes into the mail header of emails sent via PayPal's portal. The "medium" risk threat (CVSS score of 3.9) earned Kunz Mejri a $500 payout under PayPal’s bug bounty program, a spokeswoman for the payments outfit confirmed.

Mejri discovered and reported the flaw back in October but only went public this week with an advisory and video clip (below) after PayPal plugged the vulnerability.

“The vulnerability is in the profile section of the PayPal.com API request,” Kunz Mejri told El Reg. “it is possible to inject a string as that is streamed through the PayPal inc service postbox.”

“So we are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” he added.

Kunz Mejri has an extensive back catalogue of discovering flaws in apps from PayPal and more recently config bugs in a German ATM cash machine, among other finds. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside

Two cuffed on suspicion of US ATM jackpotting plague

ATM security devs rush out patch after boffins deliver knockout blow

Updated Researchers had full control and were able to make unauthorised withdrawals

Facebook users pwnd by phone with account recovery vulnerability

Another lonely day, with no one but FB, oh... I'll send an SMS to the world

'Help! I'm stuck in this ATM,' writes poor bloke on a scribbled note

Cops rescue trapped technician

No big deal. You can defeat Kaspersky's ATM antivirus with a really fat executable

After you've gained arbitrary execution on the cash machine, natch

What weighs 800kg and runs Windows XP? How to buy an ATM for fun and profit

BSides Security researchers pick up angle grinder, drop £2k-plus in B-sides chat

ATM fees shake-up may push Britain towards cashless society

Cash machine use dwindling in face of contactless and mobile

Hey, we've toned down the 'destroying society' shtick, Facebook insists

The Social Network rises to criticism from former exec

50th anniversary of the ATM opens debate about mobile payments

Analysis What's the future of cash?

US ATM fraud surges despite EMV

Best educate yourself about what you can do