PayPal is a well-known online payment service and a company which runs a bug bounty program. We’ve participated in their bug bounty program and we’ve discovered a very critical security issue on their main domain www.paypal.com. We’ll now write something about the reporting-process and the vulnerability itself. This article should show that big companies are not 100% secure and can also suffer from critical vulnerabilites. Paypal is an online payment services provider who enjoys world-wide populiarity. Paypal was founded in 1998 and was taken over by eBay in 2002. Today it has more than 230 billions of registered users and a lot of websites and/or online shops offer Paypal as a payment method. The issue we’ve discovered is called a “path traversal” vulnerability (reffered to as “Directory Traversal”). The concept of this vulnerability type is that unauthorized people can display and download abitary files from the server. The attacker only needs to know or to brute-force the path to a specific file which he wants to download. The vulnerability existed in the function “_getnbinternal” of paypal’s API. This API call is being used to include different files in the sourcecode of some paypal websites. For example: <script src="https://www.paypal.com/de/cgi-bin/webscr?cmd=_getnbinternal&path=netbiscuitsIPhone-1.0.107.js" type="text/javascript"></script> Further tests of this url and espacially the “path” parameter showed that it was possible to manipulate the path to the included file using “./” and “../”. After some relative traverses, we reached the the root-folder (/). We know that unix systems provide a “/etc/passwd”, which can be read by every user. With that knowledge we were able to download the /etc/passwd file from one of paypals main server! PWNED https://www.paypal.com/de/cgi-bin/webscr?cmd=_getnbinternal&path=../../../../etc/passwd A few months ago this link was a critical vulnerability, which allows you to download system data, today this issue is fixxed. All big operating systems (for example Windows and Linux) have standard system files which you can read, there are often located in the same path. After this first impression we decided to not to be a bad boy and to responsibly disclose the vulnerability to paypals security team. After some days we received a very sobering response which stated that this issue is invalid. But we’re all humans and we know that humans make mistakes. In opposite to the Facebook-Hacker “Khalil Shreateh” we wrote a completely new email with all technical details and we included the download links to the /etc/passwd and httpd.conf (apache config file) files. In addition we answered their question “How this vulnerability can harm their customers”. In the end it took us 3-5 clarifying emails to convince PayPal to treat the vulnerabilty in scope of their bug bounty. Afterwards we thought that PayPal would fix this problem asap. They proofed us wrong, because they fixed it three months later. All in all the communication was a bit slow. This bug submission was rewarded by paypal with a 4-digit bounty. The first fix was a filter, all events with “./” and “../” were replaced with None (“”). This implemantation still was faulty, so it was possible to bypass the filter. The bypass was simple, because you just have to replace the statements like this: ”./” => “..//” ”../” => “….//” ”/” => “//” The new URL to the system files looked like: https://www.paypal.com/en/cgi-bin/webscr? cmd=_getnbinternal&path=....//....//....//....//etc//passwd It could also be possible to brute-force the pathes and find some more critical data. If there would be some backups from user data, a bad guy may would be able to download them. The lost of confidentiality would be very impressive, like you can see in former times at the Playstation Network hack. We contacted Paypal again and told the security team that it was possible to bypass the filter. The security support opend a new case and fixed the vulnerability within the next months. At last there were some misunderstandings about the amount of the bounty payment. In the bugbounty program ToS it is mentioned that every vulnerability on the main domain paypal.com would be rewarded with at least 750$, but there have only been associated 500$ to this specific bug on the reward panel. After contacting the security team again, they apologized for their mistake and corrected the bounty sum. All in all this bug was worth a 5-digit payment. We would like to thank PayPal for their great BugBounty program and the official listing in their “Wall of Fame”: https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention
Surs?: https://en.internetwache.org/paypal-fixes-a-path-traversal-vulnerability-18-09-2013/
When you visit a website, it stores some information on your system through a web browser for later use i.e. Login information, so you do not have to re-login to your website every time you visit the same website on the same browser. Cookies are usually stored as plain text or in the database by the browser and if a computer is accessed by multiple people, one person might scan another’s cookie folder and look for things like passwords or long-life session IDs. If an attacker has the physical access to your system, can steal all your cookies easily to hijack accounts. There are many tools available on the Internet that can make it quicker and easier for an attacker to export all your cookies from the browser. The Google Chrome web browser also saves cookies to a SQLite database file in the user's data folder. One can import that file to SQL Editor software to read all cookies in plain text format. Google's open source project Chromium browser now have a new feature that encrypts stored cookies by default by the browser, whereas similar feature is already implemented in Chrome OS and Android. In the case where someone gains local access to a computer and scans for cookies, encrypted cookies prevent the attacker from viewing the cookie contents. Another important fact to be noted that, this encryption is at system user level i.e. This will only protect the cookies of a system user from the access by other users on the same system. So, if you will hand over your user account logged-in to an attacker, one can still access your cookies in plain text. Google may soon adopt similar feature in the all official desktop versions of Chrome Browser, that will encrypt the browser cookies with 128-bit AES encryption before saving to the hard disk. Encrypting browser cookies provide an additional level of security, but not sufficient until Google will not start protecting them with some master password that will also lock the access to encrypted cookies for the same windows user. Surs?: Google Chrome to encrypt Stored Cookies by default to enhance browser security