Security expert discovered a way to hack a PayPal server by exploiting a Remote Code Execution flaw affecting the Java Debug Wire Protocol (JDWP) protocol.

Security researcher Milan A Solanki discovered a new critical remote code execution vulnerability in PayPal platform. An attacker could exploit the vulnerability to execute arbitrary code on the PayPal  Marketing online-service web-application server, the flaw has been rated Critical by Vulnerability Lab with a CVSS count of 9.3.

Solanki reported the flaw to the Paypal developer team that promptly fixed it.

The Remote Code Execution flaw affects the Java Debug Wire Protocol (JDWP) protocol of the PayPal marketing online service web-server, as explained by Oracle this optional protocol it used for communication between a debugger and the Java virtual machine (VM) which it debugs.

One year ago security researcher at IOActive Christophe Alladoum published an interesting post titled “Hacking the Java Debug Wire Protocol – or – “How I met your Java debugger”. The JDWP does not implement any authentication mechanism, this allows an attacker to execute arbitrary code remotely onto the affected Web server.