The provider PayPal has had (and still has) vulnerabilities in its system for a month, which were reported in January 2020, but have not yet been fixed.
In a shocking decision, PayPal has rejected vulnerabilities reported by researchers as part of the payment giant’s bug bounty program.
Hackers can abuse them to siphon a PayPal and bank accounts.
Every tech company out there that takes its cybersecurity seriously has a bug bounty program to remain updated.
PayPal is one of these though it uses a third party system named HackerOne to handle the entire process. However, this doesn’t appear to be going smoothly.
HackerOne: Broken by Design?
The way HackerOne’s system works is simple: With HackerOne, in-house security analysts quickly review and categorize each reported issue and escalate or close those cases as needed. The idea is that the HackerOne security analysts identify reported problems, attempt replication and communicate with the vendor to work on a solution. That’s the theory.
Bernard Meyer, Senior Researcher at CyberNews, has now made his own experiences with this approach.
He says: “There is a big flaw here: these security analysts who evaluate reports of vulnerabilities are also active bug bounty hackers.
Essentially, these security analysts have the power to escalate, delay, or close a reported problem”. According to Meyer, this leads to fraud and abuse.
The evaluators could act in bad faith and delay the original report while reporting the vulnerability themselves using a different identity to collect the bonus, and then close the original report as inaccurate or perhaps a duplicate.
“The system is vulnerable to abuse, especially as the security analysts on HackerOne use generic usernames. That means there’s no real way to know what they’re doing on other bug bounty platforms,” Meyer continued.
A few days ago, CyberNews has revealed its report alleging that “PayPal punished us” for finding out 6 critical vulnerabilities.
The six PayPal vulnerabilities
The security researchers have documented the current case in this article along with the vulnerabilities.
For example, the two-factor authentication (2FA) at PayPal can probably be easily levered out. Here is a list of open vulnerabilities that the people from CyberNews have provided me with.
Only three vulnerabilities (#4 Full name change, #5 Self-help SmartChat vulnerability on PayPal and #6 Security questions persistent XSS) have been fixed. The details are described in this CyberNews article.
The vulnerabilities include the following:
1. Their team was able to bypass Authflow – PayPal’s version of 2FA – which is usually prompted by the payment provider to verify the user’s identity if they try to access their account from a previously unrecognized location.
They did so by using PayPal’s mobile app along with a Man in the Middle (MITM) proxy which granted them access to an “elevated token” that could be used to gain access.
Image credit: CyberNews
Since one could find PayPal credentials on the dark web for as little as $1.50, the ease of such an attack is greatly increased. In response to this revelation, HackerOne – the platform – replied with the notion that as the compromise of user accounts is a pre-requisite for this type of attack, “there does not appear to be any security implications as a direct result of this behavior.”
The punishment here was the issue being classified as “Not Applicable” resulting in a loss of 5 reputation points for CyberNews.
2. The researchers were able to dodge Paypal’s one-time-pin (OTP) security check which is used to verify if the phone number indeed belongs to whoever claims to be the account holder. To delve a bit deeper, upon the user’s registration of a phone number, a call is made to api-m.paypal.com for sending a confirmatory message. However, it is possible to change this call address which will make them register the new number without any check.
Image credit: CyberNews
The repercussions of this are obvious. Users can register multiple accounts using their same number leading to an increase in misuse as abandoning one’s previous account will become a whole lot easier.
PayPal’s response to this one was even more humiliating. To draw an analogy, think about the time you were seen-zoned (WhatsApp, Messenger, anywhere), I bet it didn’t feel good. Similarly, here too after an initial surge of interest, PayPal just locked the report and walked away.
Image credit: CyberNews
Ouch.
3. As discussed in vulnerability #1, there are times when PayPal brings in its security checks like 2FA to verify the user’s identity. These include but are not limited to the “account access from new location” as discussed above, usage of a new device, a change in payment patterns or just that an account is very new.
Hence, the user may be required to go through measures such as using a newly added payment method, or if you’re out of luck, a straight-up, “Your payment was denied, please try again later.”
Yet again, this was exploitable through a simple brute force attack leaving high chances of misuse. But but but, who cares? Our favorite payment provider once more so conveniently put this in the “out-of-scope” category due to the “user account compromised” pre-requisite discussed above.
4. For users who may have mistakenly spelled their name wrong while creating an account, PayPal has a basic check-in place that allows users to “only change 1-2 letters of their name once” and then the option disappears. Despite this, it was found out that by capturing the requests made and hence repeating the process with 1-2 letters at a time, a whole name change was possible with the following example below as proof by CyberNews’ team.
Image credit: CyberNews
Moreover, any Unicode symbol could also be added to the name. The problem from this entire ordeal is that let’s say a hacker accesses my account. They could then change my name and claim the account as their own. If I sent any documents to PayPal to prove my ownership, they wouldn’t be able to do anything since the name on the documents does not match the account’s new name, unfortunately.
Fortunately, though, the researchers weren’t treated with the same contempt shown in the previous vulnerabilities. The flaw was deemed to be a duplicate by PayPal but for a legitimate reason that another researcher had already reported this same flaw (why hasn’t it been already fixed then?)
5. We all love fast online support. After all, waiting for an email from a customer support agent isn’t really what we’d prefer. To tackle this, PayPal has a feature named SmartChat which works as a ” self-help chat” feature.
Image credit: CyberNews
The flaw discovered in this was that the text box used to accept messages did not have essential validation checks which enabled the researchers to “use a man in the middle (MITM) proxy to capture the traffic that was going to Paypal servers and attach a malicious payload.”
This could thereby allow an attacker to execute a malicious script which as CyberNews has stated can allow one to “capture customer support agent session cookies and access their account.”
Now, moving forward to PayPal’s response, to draw another colorful analogy, how would you feel if your friend cracked your joke louder and got all the laughs in a classroom? Not so great I reckon. But that’s exactly what just happened here with PayPal telling CyberNews that the flaw was not “exploitable externally” and then went on to fix the issue themselves quietly. On top of that, since the issue was classified as Not Applicable, CyberNews again lost 5 reputation points.
6. In our last vulnerability, a similarity was found with the previous vulnerability(#5) as PayPal’s security questions were again not equipped with essential validation which allowed the researchers to use the MITM proxy method. This allows malicious code to be injected as the example below illustrates:
Image credit: CyberNews
Once done, malicious motives such as phishing and keylogging can be achieved by this method. To this, PayPal again deemed it as a duplicate issue as in vulnerability #4 and was patched on the very same day it was reported.
To conclude, all of these vulnerabilities are very serious even if a couple of them may have been patched. Hence, it is important that PayPal immediately fixes these along with working on addressing its problem of not acknowledging legitimate reporting done by ethical hackers.
Additionally, HackerOne should also learn from this incident to make changes in how it operates internally because eventually, such behavior will make bounty hunters turn away from such companies and platforms if not rectified.