Security Bug Allowed Attackers to Send Malicious Emails via PayPal's Servers

Dima007

Level 23
Thread author
Verified
Well-known
Apr 24, 2013
1,200
security-bug-allowed-attackers-to-send-malicious-emails-via-paypal-s-servers-502381-2.jpg

Benjamin Kunz Mejri, security researcher at German firm Vulnerability Lab, has helped PayPal discover and patch a bug in one of its service's features that would have permitted attackers to use PayPal's servers to send emails with malicious code.


The researcher's technical write-up is a little complex for people without programming skills, but to understand how this flaw works, here's the attack scenario.

The security bug revolves around a user's ability to share a PayPal account with other people. The attacker only has to create an account, and then add the email addresses of the people he wants to share the account with. By default, PayPal will send these people an email to verify their identity.

Mr. Mejri found out that he could add malicious code to his account's username, which would then be picked up by PayPal's automatic emailing application, and embedded in the emails sent to these persons.

Flaw could be used to carry out phishing attacks via offical PayPal email address
When the email would reach its target, and the victim would open it, the malicious code would be automatically executed in the victim's email client.

A successful attack would allow a hacker to carry out session hijacking and redirection to external sources, but the most dangerous scenario would be when the user would be asked to click a link and enter his PayPal credentials on a phishing site. Since the email comes from PayPal's official email address, most users won't suspect a thing.

"Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction," Mejri explained. For his efforts, the researcher was awarded $1,000 through PayPal's bug bounty program.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top