back to article Squashed bug opened EVERY PayPal account to hijacking

PayPal has plugged a huge hole that exposed every account to hijacking. The cross-site request forgery (CSRF) flaw reported by Egyptian researcher Yassar H Ali allowed attackers access to any PayPal account of their choosing if they were capable of convincing a target to click a link. A PayPal spokesperson confirmed the flaw …

  1. Bronek Kozicki Silver badge



  2. batfastad

    "A PayPal spokesperson confirmed the flaw to Vulture South adding it had no evidence accounts had been compromised."

    No evidence because the way PayPal withdraws money and freezes accounts with no justification looks exactly like criminal activity, so there's no way to differentiate.

    On another note, one thing that's always concerned me about PayPal is that they store your login e-mail in a cookie even when you've signed out. Fair enough have a mechanism of remembering a session to auto login. Also then pre-populating the e-mail address from the database using the session ID even when the user's logged out. But I've always worked on the basis that you should never store any part of user's credentials anywhere outside of your own database. Certainly not on a cookie on a user's machine. And certainly not for the secure login of a financial institution. But that's none of my business.

    I don't know anything about security for the financial services sector so I can only assume the security requirements are more lenient than I'm used to.

    1. Elmer Phud

      "if they were capable of convincing a target to click a link."

  3. picturethis

    They should have paid him more...

    Just $10,000?? PayPal got off cheap. It should have been $100,000.

    Typical. Companies now just put shit software out there for the world to use and hope that either there are no bugs (we know how unlikely that is) or that if there are, someone discovers them before too much damage is done.

    And people wonder why I don't deal with PayPal, Google App Store, Apple, etc. and I do give up a lot in choosing not to use the services of these companies.

  4. DNTP

    Have a balance in your paypal account? Paypal naturally refusing to let you withdraw your balance from your account? Find out how an IT security researcher found one neat trick to HACK YOUR OWN ACCOUNT and get your money that paypal is holding for "reasons" while they collect the interest it accrues.

  5. JB77


    Try this:

    1) Buy something paying with a vendor accepting PayPal. Select "Pay with PayPal".

    2) Make a PayPal via the PayPal supplied app on the vendor's page

    3) After finishing with the PayPal payment, you will be returned to the vendor site where you made the purchase.

    4) Now your THINK you are logged out of your PayPal account. Let's check...

    5) Type this EXACTLY, into your browser:

    Press ENTER. Bingo! Your back into your PayPal account.


    That's because the account wasn't closed by the vendors app or by PayPal.

    6) While on this page, locate the "sign out" on your PayPal page. Execute it.

    Now you are really logged out. Don't believe me? Goto #5 and repeat.

    I actually called PayPal over 2 years ago, spoke to "Security" and complained about this. They said. "No big deal. The account will close itself after 10 minutes of inactivity".

    Think this practice isn't very, very bad? Look up "MIM attack".

    And they STILL haven't fixed it!


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019