Find a Question:
Vulnerability was running code via PayPal confirmation emails possible
German security researcher Benjamin Kunz Mejri has found a vulnerability in the PayPal account system, which could be sent via confirmation emails malicious code. He has reported on the bug bounty program.
PayPal logo To send malicious emails made Mejri using an existing PayPal account. The vulnerability existed in the fact that he arbitrary code could fill in the field, which is intended to be the name of the account holder. Before that it was necessary to first bypass a filter. He then used the feature to share a PayPal account with others by adding multiple email addresses.
so got the completed addresses sent an e-mail, which was asked to confirm the addition. If the user opened the mail, the malicious code is executed from the servers of PayPal.
In this way, it was possible to carry out, among other things phishing attacks, with the advantage that the e-mails originated from the official PayPal-domain. There was also session hijacking and redirection to other pages as possible. The vulnerability has been lifted in early March and Mejri received $ 1,000 for his report, which is converted 880 euros.Viewing:-183
Answer this Question
You must be Logged In to post an Answer.
Not a member yet? Sign Up Now »
Star Points Scale
Earn points for Asking and Answering Questions!