PayPal Fixes Serious Account Hijacking Bug in Manager
by Chris Brook
PayPal patched a hole in its Manager portal this week that could have made it easy for an attacker to hijack an admin’s account, change their password and steal their personal information — not to mention their savings. Manager is a feature of the service that allows users to manage their Payflow account, the company’s name for the gateway that merchants use to take payments from customers. Mark Litchfield, an IT consultant who discovered the hack posted a detailed explanation of it on his pen testing site, Securatary, late Wednesday.
“PayPal had gone to considerable lengths (more so than others) to ensure the security of this portal”, Litchfield wrote. Not far enough apparently. Litchfield claims he started by capturing a request with the web app security tester Burp Suite and was able to use its built-in username dictionary to look for a login. After he concluded enumeration, a process that retrieves a list of legitimate merchant logins, Litchfield was able to glean more than half off the information he needed to fill in PayPal’s Manager Login screen. Having secured the partner name and the merchant log-in, Litchfield didn’t need an email address, he just needed the password, something he could reset without even having to answer a security question.
Full Article
PayPal fixes serious account hijacking bug in manager
Userlevel 7
Userlevel 7
Is this related to the EBay hack news thst I see on CNN today? (Asking as EBay owns Paypal) or is this a separate issue?
Userlevel 7
Not sure it's related, but I just posted about that eBay hack here.
Userlevel 7
+56
@DavidP1970 wrote:David I changed both Account passwords just in case! ;)
Is this related to the EBay hack news thst I see on CNN today? (Asking as EBay owns Paypal) or is this a separate issue?
Daniel
Userlevel 7
So did I Daniel! As they say "careful not hurt" ;)@ wrote:
@DavidP1970 wrote:David I changed both Account passwords just in case! ;)
Is this related to the EBay hack news thst I see on CNN today? (Asking as EBay owns Paypal) or is this a separate issue?
Daniel
Cheers :D
Mike
Userlevel 7
The following article is a update:
************************************
PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.
The vulnerability, discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain. The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.
According to Hegazy, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability. This allowed the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information.
full article
************************************
PayPal Patches Serious Flaw in Payment System.
By Eduard Kovacs on August 26, 2015PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.
The vulnerability, discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain. The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.
According to Hegazy, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability. This allowed the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information.
full article
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.