Jump to content
Matt

PayPal fixes critical account switcheroo bug after researcher tipoff

Recommended Posts

Posted (edited)

PayPal has fixed a critical flaw that allowed an attacker to delete any account at will and replace it with one of their own.

In April, security researcher Ionut Cernica discovered that US PayPal account holders could add an email address to someone else's account by visiting a PayPal webpage. This then allowed the account to be deleted, he showed in a demonstration video (beware, old-school techno soundtrack):

"After you added an existing email to your account if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too," Cernica's report reads.

"After you removed the account, you can make another one with same username with your desired password, but you will have no money and is not confirmed."

In order to achieve verified PayPal status, the attacker would simply need to assign a bank account or credit card to the replacement username and go through the standard accreditation procedure. If the scam wasn't spotted quickly, funds could then be siphoned off as soon as they came in.

According to the report, PayPal acknowledged the flaw a week later and in May told Cernica that a fix had been issued – but the researcher reported back that the dodge was still possible. The final patch was issued this week, and Cernica has received his bounty for the bug.

The bug will net Cernica $3,000 at most, and would be worth many times that on the black market. The case highlights the effectiveness of once-controversial bug bounty programs, something even long-time holdout Microsoft has now acknowledged. ®

Author Cernica Ionut aka mah_one @ RST

Source TheRegister.co.uk

Edited by Matt
Posted (edited)

PayPal Fixes Vulnerability That Allowed Hackers to Delete Any Account – Video (Updated)

Paypal said:

"Update. PayPal has reached out to Softpedia with the following statement:

“Despite recent reports of a PayPal vulnerability that allows users to delete any account and replace it with one of their own, we want to confirm that we have never received any valid bugs related to that issue on PayPal.com and did not issue a reward for it.

If a researcher identifies a valid bug on our site, we encourage them to responsibly report it to our Bug Bounty program so we can reward and recognize those researchers that help keep PayPal a safer place for our customers.”

E a doua oara cand paypal valideaza problema ca apoi sa nu o recunoasca (au venit cu niste interpretari idioate care o sa le prezint intr-un articol zilele astea).

Articolul ce il voi scrie va avea doua subiecte:

- idiotii de la vulnerability lab

- paypal

Doar ce este intre ghilimele este scris de mine, restul sunt minciuni de la vulnerability lab (inca nu imi este clar de ce au scris chestia aia, iar Kunz Mejir nu vrea sa imi raspunda la intrebare).

Paypal au validat problema pe 05.08.2013, iar in mesajul de validare nu au specificat bugul, dar era logic la ce bug s-au referit.

Problema a existat, Domnul.Do si toshiba poate sa confirme problema descoperita( le-am facut o demonstratie).

https://rstforums.com/forum/68534-p-y-p-l.rst#post442967

Am sa dau mai multe detalii intr-un articol ce il voi posta zilele astea.

Mesajul meu 02/08/2013:

Hi Art,

Anything about the research you made?
Forgot the problem with billsafe.de, just review the last report on that website, because the issue still exists.
I would like to have an final answer about what happened with the problem with delete any account on paypal.
I know that I'm not able to take any bounty for that problem, because you don't know what happened, but I would like to make it
public and I want your feedback regarding the existence of this issue.

All the best,
Cernica Ionut

Raspunsul lor 05/08/2013

Cernica,
Thank you for your patience. We have received an update that this item
has been found valid and immediately fixed. Our development team wanted
me to pass on to you that this was a good find. I apologize for the
delay, but we needed a few more developers to look at this in depth.

Kind regards,
Art

Vineri seara (23/08/2013), m-au luat la intrebari in legatura cu minciunile din regsiter.co.uk. Le-am explicat ca ce am zis eu este scris intre ghilimele, restul sunt minciuni de la vuln-lab.

Le-am mai zis ca ce era intre ghilimele am scris fiindca ei au validat problema "delete any account".

Ei mi-au zis ca nu au validat problema cu "delete any account" ci ultima problema din billsafe.

De ce cred ca paypal minte?

Strong arguments:

#1 intrebarea era despre "delete any accont"

#2 Au zis ca a fost gasit valid si imediat rezolvat - "has been found valid and immediately fixed". Ultima problema din billsafe.de a fost gasita tot in aprilie si rezolvata recent (am email cu ultimul hash vulnerabili la data de 02/08/2013). Problema "delete any account" a fost validata si rezolvata imediat.

#3 "but we needed a few more developers to look at this in depth". De ce draq trebuie sa se uite o armata de developeri pe un amarat de bug, care in 2 minute putea fi confirmat. Va zic eu de ce au avut nevoie de "few more dev", fiindca trebuia sa se uite pe cod sau sa ii intrebe pe toti developerii, cine a fixat problema cu "delete any account" si ce inginer de securitate a raportat aceasta problema. In plus chiar ei au zis ca vor ajunge sa intrebe dev team cu acest bug.

Not so strong arguments:

#3 Cuvantul "update", de ce update si nu notification? Eu doar le-am raportat o problema, ca oricare alta, nu au fost probleme de genul sa imi invalideze problema ca el sa primesca un "update".

#4 "Our development team" - Cand vorbeau de dev team-ul din billsafe.de precizau clar, citez: "I'm touching base with the Billsafe team now".

Raspunsul de la paypal:

The bug you are referencing from 8/5 was for BillSafe, UID Ah113ftM. Your email was entitled - "Art" billsafe.de" and we were referencing that BillSafe issue you inquired about. The same email thread contains a status update that notes the bug in question from the article, oebaLK, as invalid. I am not sure where your confusion arises from which bug was fixed, but I don't see any indication given from the email you note that oebaLK was anything but invalid.

Da primisem un bug report in care "delete any account" era invalida, dar si celalalte doua din billsafe.de erau invalide, iar eu am crezut ca au uitat sa modifice.

Imediat dupa ce am trimis problema au validat bugul, iar un scuze au zis abia pe 02/07/2013 7:04 AM:

I apologize for the inconvenience. We notified you in May that the incorrect response was sent regarding UID oebaLK and advised you it was in submitted status rather than valid status.

O sa fac un articol amanuntit cu ce s-a intamplat.

Edited by mah_one
  • Upvote 1
Posted (edited)

Mesajul lor de pe 05/08/2013, nu avea uid, ei zic ca s-a creat o confuzie si ca au vorbit de bugul din billsafe.de

Dar eu am explicat de ce nu avea cum sa vorbeasca de acel bug.

Logic, raspunsul a fost pentru problema "delete any account", mai ales ca era un raspuns la ce i-am rugat sa imi raspunda.

Probabil nu ai inteles ordinea evenimentelor:

- Pe 02/07/2013 primesc un email in care isi cer scuze pentru ca au validat problema ca mai apoi sa ii atribuie status-ul "Submitted".

- Eu ii rog sa se mai uite si sa vorbeasca cu dev team-ul lor, iar ei sunt de acord.

- Pe 02/08/2013 le zic sa uite de billsafe.de, dar sa imi dea un feedback in legatura cu "delete any account"

- pe 05/08/2013 imi dau un raspuns clar( pentru mine) in legatura cu "delete any account", si anume ca problema e valida si ca a fost fixata imediat.

- dupa aceasta data imi mai da un report status la toate probleme de securitate, iar problema "delete any account" si celalalt doua din billsafe.de au fost tot "invalide" (am zis ca au uitat sa treaca, fiindca oricum una din ele era valida).

- 21/08 a fost publicat in softpedia articolul

- 23/08 paypal m-au luat la intrebari in legatura cu articolul.

- 23/08 paypal mi-au zis nu au validat "delete any account", ci ultimul auth bypass din billsafe.de

Dar nu are logica raspunsul lor, si nu il mai argumentez odata, cititi postul de mai sus.

In ultimul rand raspunsul in care au validat o problema, raspuns ce a lasat loc la interpretari, a fost dat in urma unei intrebari foarte clare: "I would like to have an final answer about what happened with the problem with delete any account on paypal."

Edited by mah_one
Posted (edited)

mah_one pentru mine nu este bug ceea ce ai gasit tu nu ca nu iti respect munca ta deci sa nu te superi pe mine :) problema aia este se securitate de la paypal

De exemplul: am patit de 2 ori asa ceva deci cum sa intimplat

Am fost in ro acasa si eu am paypal de Germania si ma-m logat din ro cu ip de ro a mers am cumparat ceva de pe ocazii.ro pe urma ma sunat pe telefon fratele si ma intrebat daca mai am ceva taitei $ pe paypal si iam zis da am ,mia zis frate dami parola sa ma logez pe paypal de prietenul care sint acuma sa fac plata si imediat a inregistrat paypal alta clasa de ip si cum sa logat, la lasat sa logeze dar a aparut alea 2 intrebari secrete , ma sunat iara si ma intrebat raspunsul secret si nu am ma-i tinut minte exact ce am ales ca raspuns si am raspuns gresit si la blocat imediat si apare imaginea ce o ai tu in video

cicz.th.jpg

Acia ai uitat sa precizezi ca primesti un e-mail pe adresa de mail care scrie ceva de genul asta contul a fost atacat bla bla si din mod de siguranta a fost pe durata scurta blocat si ai un link pe care apesi si deschide pagina ca la inregistrare nume , adresa , anul nasteri , contul de banca si asa mai departe sau te duci tu pe paypal si faci ca un fel de inregistrare si pe baza asta confirmi iara ca tu esti :)

Asta nu insemana ca ai sters contul, la suspendat pentru ca a fost inregistrat ca atacat deia paypal nu iti recunoaste tie ca bug :)

A doua oara tot asa am prea schimbat si experimentat in contul paypal si tot asa poza de sus si iara am primit e-mail si dedata asta am zis ia sa sun acolo la ei sa vedem ce zic si mia explicat ca o obtiune de siguranta .

In video unde bagi tu e-mail adresa in al doilea cont si normal ca daca tu folosesti alta adresa de e-mail apare conflicte

De exemplu tu bagi adresa dar atita tip cit tu nu poti confirma nu o poti folosi

De exemplu bagi adresa mea paypal la tine in cont imediat il inregistreaza ca conflict sau chiar si atack si imi apare imediat cint eu ma logez imaginea de mai sus dar asta nu insemana ca tu mia sters mie contul de la paypal .

Cine nu crede ce am zis eu blocativa contul cu pass gresit de exemplu si la intrebarea secreta nu raspundeti corect sa vedeti ca imediat apare imagine de sus si primesti e-mail :)

ps. inca ceva cind mai faceti video cu demonstratie hack faceti si voi cu tot ce cuprinde in Desktop ceas,data si asa mai departe :)

Edited by neox
Posted

Nice find, but next time you find such a critical vulnerability, don't report it to them.

Sell it in the "black market" you'll make a lot more money and not get bullshit from paypal.

Posted

Acum s? gândim pu?in logic. Dac? era un cont de paypal cu balan?? pozitiv? sau negativ?, mai putea fi ?ters? Nu cred. Pe scurt puteai ?terge (dac? ?i numai dac?) doar conturile cu 0$ în cont.

Nu ?tiu dac? îl stergea pe bune contul sau doar îl suspenda, dar e frumoas? gândirea ta, dac? ai ajuns s? testezi asta. Oricum bravo ;)

Posted

Eu nu mai suport prostia astora de la paypal.

Vineri le-am zis ca bugul e rezolvat, si i-am rugat a mia oara sa se mai uite prin ce aveau la data cand le-am trimis bugul si sa vina cu un feedback.

Ei inca incearca sa reproduca bugul si imi vin cu prostii:

Thanks for your message. On the bug in question, we had tested this multiple times without it executing. We cannot execute this without evidence that could lead us to its successful reproduction and will not investigate it further until we have some. Even with the POC included, it was not successful for us as we noted in our email exchanges with you as late as 7/2. 

Ma las pagubas.

Posted (edited)

am raportat 4 xss-uri in where.com, Le-am zis ca daca sunt duplicate le fac publice si azi am primit un mail in care mi-au spus ca le-au validat.

Edited by hate.me
Posted

Cred ca poti sa stergi conturile neverificate sau fara activitate de seller/buyer, trebuia sa incerci pe niste conturi verificate sau cu balanta pentru a putea afirma ca poti sa stergi orice cont.

Posted
Eu nu mai suport prostia astora de la paypal.

Vineri le-am zis ca bugul e rezolvat, si i-am rugat a mia oara sa se mai uite prin ce aveau la data cand le-am trimis bugul si sa vina cu un feedback.

Ei inca incearca sa reproduca bugul si imi vin cu prostii:

Thanks for your message. On the bug in question, we had tested this multiple times without it executing. We cannot execute this without evidence that could lead us to its successful reproduction and will not investigate it further until we have some. Even with the POC included, it was not successful for us as we noted in our email exchanges with you as late as 7/2. 

Ma las pagubas.

Fa ce trebuie facut, asa cum merita leprele alea.

Posted

Why did you even "work" with vulnerability lab? You could of just reported it yourself and take full credit+bug bounty.

Before reporting a vulnerability like that you should verify it on various account types (verified/unverified) with balance or not as POC for evidence so you can tell if they're bullshitting or not.

Posted
@neox: Cand mi-a sters mie mah_one contul de PP nu am primit niciun mail de care zici tu.

Citeste ce scrie in poza ca iti trimite e-mail pentru confirmare

cicz.th.jpg

e-mail ieste cu o confirmare care este ca o inregistrare noua pe acelasi date personale

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...