PayPal Patches Security Vulnerability

PayPal has closed a security hole that could have allowed an attacker to hijack the account of any of its users in a targeted attack, according to VentureBeat.

The eBay payment subsidiary said on Wednesday (Dec. 3) that it paid a bug bounty after learning from a security researcher about a technique that would let an attacker hijack a PayPal account if the attacker knew only the user's PayPal email address and could trick the user into clicking on a malicious link. (The actual vulnerability involved PayPal's reuse of authorization tokens.)

"Our team worked quickly to address this vulnerability, and we have already fixed the issue," a PayPal spokesperson told VentureBeat. "There is no evidence that any customer was impacted. We are grateful to the security community for their contributions to the Bug Bounty Program, and helping us keep our customers’ information secure."

While PayPal didn't name the researcher, Egyptian researcher Yasser Ali, who posted a description of the security hole on his blog in October, said he had received a $10,000 bounty for finding the bug.

According to Ali, an attacker who successfully used his approach to exploit the vulnerability on a user's PayPal account would be able to add, remove or confirm an email address; add fully privileged users to a business account; change security questions; change billing and shipping addresses; change payment methods; and change user settings, including notifications and other mobile settings.



The September 2020 Leveraging The Digital Banking Shift Study, PYMNTS examines consumers’ growing use of online and mobile tools to open and manage accounts as well as the factors that are paramount in building and maintaining trust in the current economic environment. The report is based on a survey of nearly 2,200 account-holding U.S. consumers.

Click to comment