PayPal says it has closed a number of security holes uncovered by an Avnet Technologies security researcher, including one that could have allowed an attacker to access PayPal's back-end system for business and premier account reports and acquire a mountain of data.
A security researcher has uncovered multiple vulnerabilities affecting
PayPal, the most critical of which could have enabled attackers to access
PayPal's business and premier reports back-end system.
The vulnerabilities were patched recently by PayPal after security
researcher Nir Goldshlager of Avnet Technologies brought the vulnerabilities to
the site's attention. The most critical bug was a permission flow problem in business.paypal.com,
and could have
potentially exposed a massive
amount of customer data.
"An attacker was able to access and watch any other user's financial,
orders and report information with unauthorized access to the report
backend application," Goldshlager explained. "When users have a
premier account or business account the transaction details of their orders are
saved in the reports application ... an
attacker can look
at any finance reports of premier or business accounts in
the PayPal reports application and get a full month [and] day summary of the
That includes information such as the PayPal buyer's full shipping address,
the PayPal transaction ID of the buyer and the date and amount of transaction.
The other vulnerabilities Goldshlager found included an XSS (cross-site
scripting) vulnerability affecting the paypal.com
sites that an
attacker could use to steal session IDs and hijack user accounts, as well as a
CSRF (cross-site request forgery) bug that exposed user account information.
The CSRF vulnerability impacts the IPN (Instant Payment Notification) system, a
PayPal service that sends a message once a transaction has taken place.
Once IPN is integrated, sellers can automate their back offices so they
don't have to wait for payments to come in to fulfill orders, Goldshlager
"This CSRF exploit method exposes the same information from the buyer
as the first vulnerability ... to exploit a CSRF attack that adds a Instant
Payment Notification access, the attacker will make an attack that adds his own
Website address to the victim account IPN settings, and when there is
transaction on PayPal the victim's transaction details will be sent to the
attacker's Website," he said.
Goldshlager also uncovered smaller CSRF issues, he said. He reported the
bugs to the site in February. According to PayPal, nearly all the problems
Goldshlager uncovered were fixed right away.
"As you know, these types of security issues are very complex and we
are grateful for our strong working relationship with the security researcher
as well our partnership with the security community that have brought these
issues to light," a PayPal spokesperson told eWEEK in an e-mail. "We
have a shared mission to make PayPal and the Internet as safe as possible for