During 2014 we recorded many events competing for the title of “hack of the year” but if this had come to the wrong hands, definitely would be at the top of the podium. An Egyptian researcher named Yasser Ali discovered a security hole in PayPal allowing access to any account with a fake email with a script in Python and a couple of clicks. The good news? The bug was fixed and Ali received a deserved reward.
When a program or service solves a security problem,it is always a good news. The system becomes more robust and users have a safer environment, reinforcing aspects such as trust and loyalty. Now, the ideal is that the security problem does not exist from the beginning , however who create programs and services are human. As such, they are exposed to all kinds of circumstances that can cause an innocent mistake on a line of code and that in a couple of months (or even years)will have disastrous consequences. At the same time, we also discovered appalling safety practices, as happened with the last hack Sony Pictures, where they had a folder called “password” with all passwords inside. The ultimate vulnerabilities leads to PayPal as an expert named Yasser Ali.
What Ali found is disturbing as the So-called “tokens CSRF” used to validate all requests with parameter “Auth” made by a user of PayPal changed after each action for security, but Ali discovered that the CSRF Auth is marked as reusable for that user and e-mail. Then he found that he could not only get a token valid CSRF trying to make a false sending transaction to mail the victim , but to intercept a POST request to a certain page of PayPal, received a CSRF Auth support any user . Of course, to change the account password, the attacker must answer the security questions … but the story does not end there: The change request is not protected with a password , therefore, the above CSRF attack is still valid. Security questions, e-mail, payment methods, email addresses and physical addresses are some things that are at the mercy of this technique.
Or should I say “were” . The proof of concept we see in the video is no longer valid. Ali contacted representatives of PayPal , who immediately corrected the bug and under his Bug Bounty Program, the company transferred to Ali’s highest award available: $ 10,000 . We must not only thank Ali for having made the right decision (let’s face it, he could have sold the bug in the black market) but this is an excellent opportunity to remind companies that prevention campaigns bugs and rewards designed experts work. If the stimulus is correct and communication receive top priority, you can avoid unpleasant situations.