Online payments are becoming more and more important every day, but that doesn’t mean the platforms we use are stepping up their security game. PayPal, one of the largest online payment processors in the world, recently fell victim to a bug in their account system, allowing users to send malicious code through confirmation emails. Luckily, the person discovering this issue has reported the exploit to PayPal through their bug bounty program, rather than using it for malicious intent.
Sending Malicious Code With PayPal Confirmation Emails
Larger online payment processing platforms have a bigger chance of becoming vulnerable to some form of exploit sooner or later. Luckily for PayPal, German security researcher Benjamin Kunz Mejri discovered a flaw which he reported to the company immediately. If someone else had made this discovery, the company would have been off far worse.
The way this exploit works is by sending emails with malicious code through an existing PayPal account. Sending an email to a different PayPal user requires users to fill in a name – usually first and last name – but it turned out that entry field could be filled with random code, including malicious scripts.
Doing so was not as straightforward as it sounds, though, as Mejri had to bypass a security filter, which can be seen in the video below this article. Once that step was completed, he used the Paypal feature to share an account with other users by adding multiple email addresses. This feature can be compared to a multisignature Bitcoin wallet, albeit with entirely different security precautions.
All of the email addresses on the list to share this particular PayPal account with would receive a confirmation email to accept this invitation. Once a user opens this email, the malicious code is executed in the background, originating from PayPal’s servers. As most people have guessed by now, this method makes it rather easy to execute phishing attacks against other users, while ensuring the email sender is PayPal, rather than spoofing the header.
Other exploits included session hijacking, and even redirecting the user to different web pages or websites. Luckily for all PayPal users, this exploit has been patched in early March 2016, and Mejri received a US$1,000 bounty for reporting this security flaw. White hat hackers are of incredible value to financial service providers, which is why companies such as PayPal have their bug bounty program.
Bitcoin is An Answer To Centralized Services
Although Paypal is one of the most popular online payment processors in the world, their entire business model is as centralized as it can get. Not only do they take a cut of every transaction – and quite a big one too – but they also hold on to customer funds when both depositing and withdrawing money. Relying on a service with a central point of failure is putting consumer’s funds at risk.
Bitcoin, on the other hand, is entirely decentralized at its core, although there are centralized platforms in this ecosystem as well. Financial control is something very few consumers are accustomed to, and no longer relying on centralized services requires a major mind shift. However, for those willing to take financial matters into their own hands, Bitcoin is a viable option.
What are your thoughts on this recent PayPal vulnerability? Let us know in the comments below!
Source: Tweakers (Dutch)
Images courtesy of PayPal, Shutterstock