PayPal Hacked – Yasser Ali's Blog

The application generates a valid "Auth" token for a logged-out user!

Hacking PayPal Accounts with one click (Patched)

Post author:eng_yasser
Post published:October 9, 2014
Post category:Security
Post comments:105 Comments

105 responses to “Hacking PayPal Accounts with one click (Patched)”

Hacking PayPal Account with a single exploit | Security Affairs

December 3, 2014

[…] Egyptian security researcher, Yasser H. Ali has reported three critical vulnerabilities in PayPal website that could be exploited by an attacker to […]

Reply
xys

December 3, 2014

How much did you get? Saying you got the max and then not saying how much is it sounds a bit unfair 🙂

Reply
slamus

December 3, 2014

Yeah tell us !

Reply
1. yasser
  
  December 3, 2014
  
  10,000 USD 🙂
  
  Reply
  1. Ramy
    
    December 3, 2014
    
    MSA , congrats bro i hope you the best ISA
    
    Reply
PayPal patches vulnerability that could have let an attacker hijack anyone’s account (updated) - Reader

December 3, 2014

[…] researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account […]

Reply
Yasser Ali’s Blog » Hacking PayPal Accounts with one click | whitehatnews.com

December 3, 2014

[…] Link […]

Reply
Brendan

December 3, 2014

Hi Yasser,

I don’t really understand the part about visiting yasserali.com:8080/w3pwn

What information is being captured in that XXS request? Was that necessary just for adding another email address, or password reset or both? Can I say that if the user didn’t click on the link, this attack is rather difficult to reproduce?

Brendan

Reply
1. yasser
  
  December 3, 2014
  
  CSRF attack needs a user interaction, in this attack the victim has to click on the link, that’s it, regarding the Auth-Token, the attacker could get a valid Auth-Token from any request happens when the in an anonymous session.
  
  Reply
  1. Brendan
    
    December 4, 2014
    
    Thanks for the explanation. Can I access the python script code?
    
    Reply
Brendan

December 3, 2014

Is the auth in the HTTP_REFERER?

Reply
Gareth

December 3, 2014

How much was the bounty? That’s what we really want to know 🙂

Reply
1. yasser
  
  December 3, 2014
  
  10,000.00 USD 🙂
  
  Reply
markey

December 3, 2014

Hi Yasser Ali, Can you make a better video, IE Zoom on those commands ETC? Or even Speech? Thanks for you’re time, And lovely hack.

Reply
markey

December 3, 2014

Yasser Ali, I cant see what you are typing ETC.

Reply
1. yasser
  
  December 4, 2014
  
  Set the video quality to 1080px
  
  Reply
Mohit

December 3, 2014

Hi Yaseer,
Any possibility of sharing the python code ? 😛

Nice one, congrats 🙂

Reply
John

December 4, 2014

Holy hell you must be one happy camper with $10k USD.

Tell us about yourself, what do you do? Age?

Reply
1. yasser
  
  December 6, 2014
  
  I am 28, I do security consultation 🙂
  
  Reply
FU

December 4, 2014

Actually they paid the mudslime in falafel vouchers 🙂 Bug ruining douche.

Reply
Alan

December 4, 2014

Hi, I am very impressed by your achievement. It would be nice if you can share me how you learnt your skill in Information Security. I mean which books or websites?

Reply
Amlan

December 4, 2014

When did you report this and how many days did they take to fix it?

Reply
Tarek Jan

December 4, 2014

I honestly think you deserve more. Some services offer up to 1 million for those who discover vulnerabilities in their security. This vulnerability wasn’t a Gmail, iCloud or SnapChat one, it was on an online banking/money transfer site. The consequences could have been huge and purely financial to the company.

Reply
Vivek

December 4, 2014

Really this was a nice catch… Congrats Yasser bro (y) 😀

Reply
PayPal patches vulnerability that could have let an attacker hijack anyone’s account (updated) | SomeLearning

December 4, 2014

[…] researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account […]

Reply
Rajesh

December 4, 2014

That was nice!! How long did it take for you to do all this ?

Reply
1. yasser
  
  December 4, 2014
  
  I got the idea while walking in the street, Then It takes some hours to bypass the security questions and write the Python Script.
  
  Reply
oxdef

December 4, 2014

So there were two main issues:
1. You was be able to get universal (for all users) CSRF-token from _send-money form
2. There were no password protection for adding mail and changing questions

Is it correct?

Reply
1. yasser
  
  December 4, 2014
  
  yes, but there was a password protection on the “changing questions”, but I have bypassed this by calling the “set”questions function instead of calling the “Reset” questions function and successfully overwrote the already set questions ;), clear now?
  
  Reply
  1. oxdef
    
    December 5, 2014
    
    Yes, thanks! Good job:)
    
    Reply
عبدالرحمن الشياب

December 4, 2014

السلام عليكم,
كيفك علي؟
كاتبين مقالة عن مدونتك على موقع سوفتبيديا, رابط المقالة:
http://news.softpedia.com/news/Critical-PayPal-Bug-Left-All-Accounts-Vulnerable-to-Hijacking-466500.shtml

Reply
Warun

December 4, 2014

May I copied your clip and add some explanation in Thai? I will link back to original clip.

Reply
1. yasser
  
  December 4, 2014
  
  Go ahead, share knowledge 🙂
  
  Reply
Vadim Lebedev

December 4, 2014

Hi Yaser,

Excelennet ctach

What baffles me however that connection with paypal site is not SSL protected!!!!
If it was your hack would be impossible to realise… Or i am missing something?

Reply
1. yasser
  
  December 4, 2014
  
  It is SSL protected bro!
  
  Reply
Vadim Lebedev

December 4, 2014

Hi Yasser,

I’ve been to fast to post my previous comment, but now i’m baffled even more!!!
Paypal DO use SSL…. So i’m at loss how you managing to get the plaintext of the session?

Reply
1. yasser
  
  December 4, 2014
  
  I am intercepting my own traffic using burpsuite, Where is the problem?
  
  Reply
Hacking PayPal Accounts With CSRF | Hackaday

December 4, 2014

[…] The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time. […]

Reply
Hacking PayPal Accounts With CSRF - Tech key | Techzone | Tech data

December 4, 2014

[…] The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time. […]

Reply
Amlan

December 4, 2014

I have detected one such CSRF payload that has the potential to CSRF all Paypal functions. Paypal is presently working on that issue. Not sure how much they are going to pay me for that.Could you please tell how many days did they take to fix that issue for yours? What categorization had they assigned to that issue? For me they categorized that as CSRF though, it is not a normal CSRF.

Reply
1. Amlan
  
  December 4, 2014
  
  Hi Yasser,
  
  did you get a chance to look at my comment?
  
  Amlan
  
  Reply
  1. yasser
    
    December 4, 2014
    
    yes I have talked to you on Facebook and you didn’t respond, DM on twitter
    
    Reply
    1. Amlan
      
      December 5, 2014
      
      I guess, you have contacted wrong Amlan. My twitter ID @whitesec1211 🙂
      
      Thanks
      
      Reply
Vadim Lebedev

December 4, 2014

Sorry Yasser,
I’m not really pentest expert… but browsing thru burpsuite docs i’m trying to understand how it works in you case. I suppose that you’ve installed burp CA certificate into the trust chain of your browser, and thew burp proxy tool generated for you a certificate for http://www.paypal.com for it’s MITM functionality… Am i right? If so it seems to me that an attacker who is trying to intercept traffic from another’s person browser will have much bigger challenge before him as he will have to BREAK the SSL encryption without the help
of cooperating browser. Or i am missing something else?

P.S. I’m not trying to criticise your achievement, it is pretty brilliant work IMO

Reply
1. Michal
  
  December 4, 2014
  
  Vadim, it’s not a man in the middle attack but a CSRF attack. If you’re not familiar with CSRF you can look up the wikipedia article, it explains the basics pretty well. The TL;DR is that you trick the user into sending the right http request to paypal’s website by e.g. making them click a link or load an “image”.
  
  Reply
  1. Vadim Lebedev
    
    December 8, 2014
    
    Hi Michal,
    Thanks you for the pointer, i’we brought myself up to date about CSRF attacks, so to summarize:
    I attempt an unsuccesful login to paypal using victims’s credentials,
    while using burp to decode the traffic and recover auth token.
    Than i trick user to send an https request (email/password change for example) to the paypal with the auth
    token i collected?
    
    Reply
2. yasser
  
  December 4, 2014
  
  Michal made it clear, A hacker doesn’t need to be MITM, Go to OWASP and read about the CSRF attack
  
  Reply
Investigador demuestra el hackeo a PayPal

December 4, 2014

[…] investigador de seguridad egipcio, Yasser H. Ali, ha demostrado el hackeo a PayPal con un simple clic, aprovechando una vulnerabilidad crítica que podía haber puesto en peligro a 156 millones de […]

Reply
Amlan

December 5, 2014

Hi Yasser,

Few clarifications about this issue. Is it like
1. You navigated to the page https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money
2. try to transfer money
3. Paypal asks for credential
4. Let’s say, you provided [email protected](victim email) and a wrong password (as you dont know victim’s password)
5. You captured the auth token in Burp Suite and forwarded the authentication request(which ofcourse will fail as the password was wrong) But the auth token used in this request can now be reused for victim id [email protected]
6. You created a CSRF payload with the captured auth token and sent that to [email protected] as a targeted attack
7. If the user bearing paypal id [email protected], when logged into Paypal, clicks on the link sent by you, fall victim to your trap.

Am I correct?

Best
Amlan

Reply
1. yasser
  
  December 5, 2014
  
  Yes right, but you don’t have to enter or know the victim email to capture the Auth Token, you can just enter any random value, No need for victim email.
  
  Reply
Hacking PayPal Accounts With CSRF | Hack The Planet

December 5, 2014

[…] The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time. […]

Reply
PayPal Accounts Takeover Vulnerbility | TAR News

December 5, 2014

[…] researcher Yasser Ali has publicly disclosed a vulnerability in PayPal’s website. Ali claims he was able to hijack anyone’s account in a […]

Reply
ste williams – All PayPal accounts were 1 click away from hijacking

December 5, 2014

[…] said in a blog post that the “critical vulnerability” meant an attacker could hijack any PayPal user […]

Reply
Warun

December 5, 2014

A think that I didn’t understand from your clip is about the python script.

As my understanding, when victim visit a trap, then the vimtim is a person to send information, am I right? so, the script is just like a tunnel to let attracker pass needed information to let victim browser send a request to Paypal as what attacker want.

So, request send to Paypal doesn’t use the difference session, the attacker use vimtim session with given token pass though the tunnel. right? are you be able to provide script to get more understanding?

PS. I have put your content here https://www.youtube.com/watch?v=kmPqMUkFkHg

Reply
1. yasser
  
  December 5, 2014
  
  The attacker can generate a CSRF which is valid for everybody, The python script is just for automating the process and making the exploit powerful, I have seen your video, Amazing 😉
  
  Reply
Hacking PayPal Account with Just a Click « About Hacker

December 5, 2014

[…] affecting more than 156 millions PayPal users. An Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and Resetting […]

Reply
Hackear cuenta PayPal con sólo un clic - F403MX

December 5, 2014

[…] más de 156 millones de usuarios de PayPal. Un investigador de seguridad egipcia, Yasser Ali H. ha descubierto tres vulnerabilidades críticas en el sitio web de PayPal incluyendo CSRF , Aut derivación token […]

Reply
Sony Breach & More – WSWiR Episode 131 - Varanoid.com

December 6, 2014

[…] Major, account-hijacking PayPal XSS, but it’s fixed – Yasserali Blog […]

Reply
Sony Breach & More – WSWiR Episode 131

December 6, 2014

[…] Major, account-hijacking PayPal XSS, but it’s fixed – Yasserali Blog […]

Reply
Hacking PayPal Account with Just a Click | handleweb.net

December 6, 2014

[…] affecting more than 156 millions PayPal users. An Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and Resetting […]

Reply
PayPal hackable in one click according to security researcher | ITProPortal.com

December 6, 2014

[…] researcher Yasser Ali is on the good side, but he still has released details of a vulnerability that shows how easy it […]

Reply
Researcher Shows How To Hack Any PayPal Account In Just One Click. | Hack Read

December 7, 2014

[…] posted his findings on his blogpost explaining that the hack was possible with just one click as it required hackers trying to access a […]

Reply
Rebecca Owens

December 7, 2014

I do believe that I have been hacked. Pay Pal and E-bay have both denied this but I have a zero bank balance. Right here at Christmas. No one can seem to help me especially not the “big” conglomerates that ignore the problems and “deny,deny,deny. I will proceed with whatever means that ae available to me. Now that I have been robbed by these “hackers” and no money left for presents , its a sad sad thing. Huum I have no choice bu tto move forward …thanks for letting me vent.
To you all.. Have a great Christmas!
(oh btw) first time I had ever ordered on e-bay.

Reply
1. yasser
  
  December 7, 2014
  
  I think you have been a victim of a scam not hacking, you should never give-up, follow up with your issue until you get all your rights back.
  
  Reply
Il était possible de pirater Paypal d’un clic de souris | Data Security Breach

December 7, 2014

[…] PayPal n’a pas tardé à répondre à cette alerte. Correction effectuée, Ali a touché 10 000 dollars de récompense. La faille se situait du côté des jetons d’authentification. Ces codes sont envoyés aux clients et sont changés à chaque fois que l’utilisateur clique sur le lien Paypal. Ali a cependant identifié que chaque jeton peut être réutilisé en faisant croire à Paypal que le client « cliqueur » est bien le propriétaire du compte en question. (Ali) […]

Reply
150 Million PayPal Accounts In Danger of Hijacking - Patriot Rising

December 9, 2014

[…] detailed how the vulnerability could be exploited, in a blog. The essential problem lies with the fact that CSRF Auth verifies every single request of that […]

Reply
В системе защиты от подделки запросов PayPal обнаружена серьезная уязвимость | Zit@i0

December 10, 2014

[…] запросов). Эту уязвимость он подробно описал в своем блоге, мы перевели и адаптировали пост с описанием […]

Reply
Saravanan Vel

December 10, 2014

the hijacked money actually is mine.can u plz resend me back.

Reply
1. Saravanan Vel
  
  December 10, 2014
  
  ha ha waiting for approval ../ good. can i get your Facebook id?
  
  Reply
  1. yasser
    
    December 10, 2014
    
    Contact me on twitter and I will DM you my Facebook
    
    Reply
2. yasser
  
  December 10, 2014
  
  ok I will 😀
  
  Reply
В системе защиты от подделки запросов PayPal обнаружена серьезная уязвимость | Malanris's site

December 10, 2014

[…] описал в своем блоге, мы перевели и […]

Reply
PayPal vulnerable a CSRF (solucionado) - SABIAS UN DATO

December 10, 2014

[…] investigador de seguridad egipcio, Yasser H. Ali, ha demostrado el hackeo a PayPal con un simple clic, aprovechando una vulnerabilidad crítica que podía haber puesto en peligro a 156 millones de […]

Reply
Security Predictions for 2015 - InfoSec Institute

December 29, 2014

[…] find an issue with the logic of the code and use it to conduct an attack. For e.g, Yasser ali demonstrated how he was able to hijack a paypal account with just a single click. So we can surely expect an […]

Reply
John

December 29, 2014

Dear Yasser,
May I please have the source to your python program to help me learn more about information security, i know that it doesn’t work but I just want to look at the source

Reply
Security Predictions for 2015 | OSINFO

January 3, 2015

[…] find an issue with the logic of the code and use it to conduct an attack. For e.g, Yasser ali demonstrated how he was able to hijack a paypal account with just a single click. So we can surely expect an […]

Reply
Top 10 Web Hacking Techniques of 2014 | WhiteHat Security Blog

January 8, 2015

[…] Belkin Buffer Overflow via Web 25. Google User De-Anonymization 26. Soaksoak WordPress Malware 27. Hacking PayPal Accounts with 1 Click 28. Same Origin Bypass in Adobe Reader […]

Reply
Sony Breach & More – WSWiR Episode 131 | Everything You Need to Take Threats Head On

February 3, 2015

[…] Major, account-hijacking PayPal XSS, but it’s fixed – Yasserali Blog […]

Reply
Information Security Breach Report – 04 December 2014 | SRM Blog

February 3, 2015

[…] Hacking PayPal Accounts with one click – http://yasserali.com/hacking-paypal-accounts-with-one-click/ […]

Reply
Faizan Asad

February 12, 2015

Hi Yasser…i am a newbie also and i want to learn…can you provide the source code please??…want to research …

Reply
1. yasser
  
  February 12, 2015
  
  The source code has nothing to do with research!
  
  Reply
28grams

February 17, 2015

what tools did you use? sorry noobie, still learning

Reply
1. yasser
  
  February 18, 2015
  
  Just burp proxy 🙂
  
  Reply
Kritična ranjivost u PayPalu | My Blog

March 13, 2015

[…] Yesser H. Ali, egipatski istraživač računalne sigurnosti, pronašao je tri velike ranjivosti u servisu za plaćanje – PayPal, među kojima je i XSRF (Cross-site request forgery). Radi se o izuzetno opasnom propustu, s obzirom da pomoću njega napadač svoju email adresu može registrirati na žrtvin PayPal račun ukoliko ona klikne na maliciozan HTML link. U ovom slučaju ne pomažu ni sigurnosna pitanja, jer ranjivost napadaču omogućuje zaobilaženje pitanja i direktno resetiranje lozinke. Koliko je ovaj način hakiranja računa jednostavan pokazao je i sam Yesser na svojem blogu, a video možete vidjeti ovdje: http://yasserali.com/hacking-paypal-accounts-with-one-click/ […]

Reply
В системе защиты от подделки запросов PayPal обнаружена серьезная уязвимость | FNIT.RU

April 9, 2015

[…] запросов). Эту уязвимость он подробно описал в своем блоге, мы перевели и адаптировали пост с описанием […]

Reply
Top 10 Web Hacking Techniques of 2014 | ASZone

April 23, 2015

[…] Hacking PayPal Accounts with 1 Click […]

Reply
Panos

April 28, 2015

Is the vuln still active? A lot of hackings regarding paypal this month.

Reply
KAREEMSAAD

May 2, 2015

كيف يا هندسه

Reply
sawaid

May 6, 2015

can i add money to my paypal

Reply
1. yasser
  
  May 13, 2015
  
  Nope, PayPal is secure
  
  Reply
machaith

July 28, 2015

Brilliant, loved it 😀

Reply
MahmoudAhmed

July 28, 2015

I think you entered an invalid Email ( in text input >>from email) ……[email protected]
But to Whom this Token as it isn`t a valid Email !!!!!?

Reply
1. yasser
  
  July 28, 2015
  
  This was a Valid-For-All token, a token which not associated with any session, so it will be valid for any session!
  
  Reply
yasir kadri

October 8, 2015

hey bro dont hack mine i aslo connected wid us pls

Reply
vijay

October 16, 2015

nice

Reply
htet htet

October 18, 2015

hi video link please give

Reply
1. yasser
  
  October 19, 2015
  
  I have uploaded a new video, kindly refresh the page
  
  Reply
Hacking of Paypal Acoount By Just a Click By Yasser Ali – Simentify

March 29, 2016

[…] Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and […]

Reply
Dhivakar

April 2, 2016

nice work bro…congratsss 🙂

Reply
Kishore

April 28, 2016

GreaT 😀

#RESPECT

I’m Trying Since 3month Nothing HAPPENED 🙂

Reply
Web Application Security & Bug Bounty (Methodology, Reconnaissance, Vulnerabilities, Reporting) – Welcome Hackers!

January 31, 2019

[…] Hacking PayPal Accounts with one click (Patched) by Yasser Ali […]

Reply
Web Application Security & Bug Bounty – CodeCraver

February 22, 2019

[…] Hacking PayPal Accounts with one click (Patched)by Yasser Ali […]

Reply
Guide 001 |Getting Started in Bug Bounty Hunting.. – Muhammad Khizer Javed

June 3, 2019

[…] Hacking PayPal Accounts with one click (Patched) by Yasser Ali […]

Reply
Bug Bounty Methodology (TTP- Tactics,Techniques and Procedures) V 2.0 ~ Cyberzombie

June 30, 2019

[…] Hacking PayPal Accounts with one click (Patched) by Yasser Ali […]

Reply
Getting Started in Bug Bounty Hunting | Complete Guide

August 30, 2019

[…] Hacking PayPal Accounts with one click (Patched) Yasser Ali […]

Reply