Researcher discovered vulnerability in PayPal




Researcher Michael Stepankin has found a vulnerability in PayPal. By making use of the vulnerability for Stepankin it was possible to perform system commands on the PayPal servers.

Stepankin gives the r emote code execution vulnerability have been found on one of PayPal’s business websites. The vulnerability enabled him to execute arbitrary shell commands on the PayPal servers due to unsafe Java objectdeserialisatie. With this he had access to production databases PayPal. He has reported the vulnerability to PayPal, which the company has resolved the vulnerability and Stepankin has a fee.

In December 2015 the investigator conducted safety tests of the website when he found out that it was possible to execute arbitrary control commands on the PayPal web servers. Stepankin could also connect to its own Web server, for example, and upload a backdoor and use. To demonstrate the vulnerability Stepankin moved the “/ etc / passwd” file to its own server. He also made a video in which he uses the Java Object deserialization vulnerability.

PayPal indicates that the vulnerability was greater than that which was anticipated. The cause of the vulnerability are Java applications that suspect data still deserialize and have commons-collections in their classpath. Mark Litchfield, a security researchers PayPal had the vulnerability according to the company a few days before Stepankin who reported indicated. According to Litchfield, there were nine different points where the problem occurred, but PayPal claims that they all had the same origin and that the underlying problem is resolved.


In: A Technology & Gadgets Asked By: [22034 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »