An Egyptian hacker demonstrated that using a single exploit is possible to take control of any PayPal account due to the presence of a series of flaws .

The Egyptian security researcher, Yasser H. Ali has reported three critical vulnerabilities in PayPal website that could be exploited by an attacker to compromise users’ account. The vulnerabilities include a CSRF and an Authentication token bypass and Resetting the security question flaw.It’s not the first time that Yasser discovers similar bugs the users’ account has found  in the eBay website a series of vulnerabilities that allowed him to hijack any eBay account in just 1 minute.

The PayPal website is affected by a CSRF (Cross-site request forgery) vulnerability that allows an attacker to hijack users’ accounts, the vulnerability potentially puts millions of PayPal users’ account at risk.CSRF allows an end user to execute unwanted actions on a web application once he is authenticated, following a typical attack scheme, the attacker sends a link via email or through a social media platform, or share a specially crafted HTML exploit page to trick the victim into executing actions of the attacker’s choosing.

Yasser H. Ali has provided a Proof-of-Concept (PoC) video to explain how to exploit the flaw using a single exploit that benefits of the three vulnerabilities. As reported by the colleague at THEHACKERNEWS, Yasser exploited the CSRF exploit to associate a new secondary email ID to the targeted PayPal account and reset the answers of the security questions from the victim’s account.

“I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user.” Yasser explained to The Hacker News.

Pierluigi Paganini

(Security Affairs –  hacking, PayPal)