All PayPal accounts were 1 click away from hijacking

All PayPal accounts were 1 click away from hijacking

Image of click courtesy of ShutterstockUntil Egyptian cyber-security researcher Yasser Ali found it and reported it to PayPal, there was a security hole that meant 150 million-plus customers were one measly click away from account hijacking.

Ali said in a blog post that the “critical vulnerability” meant an attacker could hijack any PayPal user account and have their way with it, including but not limited to the ability to:

  • Add/remove/confirm email address
  • Add fully privileged users to a business account
  • Change security questions
  • Change billing/shipping address
  • Change payment methods
  • Change user settings (notifications/mobile settings)

In other words, an attacker could have picked an account, exploited the hole, and gone on to install their own contact details and to switch the billing, shipping address and payment methods as they liked.

Ali also showed how it’s done in this proof of concept video.


The researcher said that the exploit was enabled by a cross-site request forgery (CSRF) – also known as a “session riding” – flaw. Such an exploit provides a way for malicious website X to retrieve data that is only supposed to be revealed when you visit site Y.

All it would have taken, he said, was to convince a target to click a link, which is simple enough with a little help from social engineering: for example, by sending a link via email or chat.

Ali’s now $10,000 (£6,380) richer, having bagged the top payout in PayPal’s bug bounty program.

He said in his advisory that the captured authentication token his exploit managed to obtain was valid for all PayPal accounts.

After a deep investigation I found out that the CSRF auth is reusable for a specific user email address or username.

This means attackers who found any of these CSRF tokens can [imitate] any logged in user.

[Attackers] can obtain the CSRF auth by intercepting the POST request from a page that provides an auth token before the logging-in process.

PayPal confirmed the bug to Vulture South – also known as The Register’s Asia-Pacific bureau.

A spokesperson said that the company hasn’t detected any evidence of accounts having been compromised.

From the statement:

Through the PayPal Bug Bounty Program, one of our security researchers recently made us aware of a way to bypass PayPal's Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto Our team worked quickly to address this vulnerability, and we have already fixed the issue.

CSRF isn’t a new kind of exploit, it just doesn’t seem to get the same attention that SQL injection or XSS (Cross Site Scripting) do.

If you build websites for people we recommend you read the OWASP has guides on how to review code for this particular vulnerability, how to test for it, how to prevent it, and more.

You can defend yourself against CSRF vulnerabilities when you’re browsing or reading your mail just by making sure you log out of websites and applications when you’re finished with them.

Image of click courtesy of Shutterstock.