PayPal bug bounty catches account-hijacking vulnerability

Popular internet payment provider PayPal has fixed an exploit that would have allowed hackers to take over an account with a single click, reports The Register.

The PayPal bug, a ‘cross-site request forgery’, was discovered by Egyptian researcher Yassar H Ali, who found it was possible to access any account if a hacker could convince the account’s owner to click a link. Once clicked, the hacker would be able to link their email addresses to a victim’s account, then reset the password and take over the account due to reusable authentication tokens valid for all users. explains that as security questions did not require password authentication, he was also able to use the token to gain full access to an account by “modifying answers using a small Python script.”

Fortunately, no evidence of any accounts being compromised with the exploit has been found, and the exploit has now been closed, with Ali receiving a $10,000 reward as part of PayPal’s Bug Bounty program.

A statement  from PayPal said, “Through the PayPal Bug Bounty Program, one of our security researchers recently made us aware of a way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto Our team worked quickly to address this vulnerability, and we have already fixed the issue.”

“There is no evidence that any customer was impacted. We are grateful to the security community for their contributions to the Bug Bounty Program, and helping us keep our customers’ information secure,” it added.

SC Magazine notes that this is the second major bug Ali has tracked down this year, after he discovered an exploit in PayPal’s parent company eBay that would potentially allow the hacking of any of the auction site’s account by cybercriminals.

Denys Prykhodov /

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.