PayPal has closed a security hole that could have allowed an attacker to hijack the account of any of its users in a targeted attack, according to VentureBeat.
The eBay payment subsidiary said on Wednesday (Dec. 3) that it paid a bug bounty after learning from a security researcher about a technique that would let an attacker hijack a PayPal account if the attacker knew only the user’s PayPal email address and could trick the user into clicking on a malicious link. (The actual vulnerability involved PayPal’s reuse of authorization tokens.)
“Our team worked quickly to address this vulnerability, and we have already fixed the issue,” a PayPal spokesperson told VentureBeat. “There is no evidence that any customer was impacted. We are grateful to the security community for their contributions to the Bug Bounty Program, and helping us keep our customers’ information secure.”
While PayPal didn’t name the researcher, Egyptian researcher Yasser Ali, who posted a description of the security hole on his blog in October, said he had received a $10,000 bounty for finding the bug.
According to Ali, an attacker who successfully used his approach to exploit the vulnerability on a user’s PayPal account would be able to add, remove or confirm an email address; add fully privileged users to a business account; change security questions; change billing and shipping addresses; change payment methods; and change user settings, including notifications and other mobile settings.
