
Hacking PayPal Accounts with one click - butwhy
http://yasserali.com/hacking-paypal-accounts-with-one-click/
======
tshadwell
Pivotal paragraph: "We have found out that an Attacker can obtain the CSRF
Auth which can be valid for ALL users, by intercepting the POST request from a
page that provide an Auth Token before the Logging-in process, check this page
for the magical CSRF Auth “[https://www.paypal.com/eg/cgi-
bin/webscr?cmd=_send-money”](https://www.paypal.com/eg/cgi-
bin/webscr?cmd=_send-money”). At this point the attacker Can CSRF “almost” any
request on behave of this user."

He captured a cross-site request forgery token which was valid for all users.

~~~
probablyfiction
Someone (or even more frightening, multiple someones) at Paypal didn't
understand the point of CSRF tokens. A new random value for each request is
essential to maintain the integrity of the measure. CSRF tokens should never
be used as a type of global authentication value. The fact that this made it
to production is mind-blowing.

EDIT: Looks like I am wrong on HN. Damn.

~~~
dsjoerg
Don't worry, everyone on HN is wrong.

~~~
antsar
This is quite paradoxical. :)

~~~
heinrich5991
It's just not true, i.e. false.

Assume that everyone was lying. Then this statement is true, but as a lie it
must be false. Contradiction. So this case is not possible.

Asumme that not everyone was lying. E.g. some other post is false. Then this
statement is false. This fits together if you have another post that is false.

~~~
malka
[http://aeon.co/magazine/philosophy/logic-of-buddhist-
philoso...](http://aeon.co/magazine/philosophy/logic-of-buddhist-philosophy/)
found this on hn a while ago. You might find this relevant to the logical
paradox you are exposing

~~~
pluma
This is why I can't take philosophy serious anymore.

Examples like the "this statement is false" thing are just rife with
equivocations and other blatant nonsense. Yes, there is such a thing as
"neither true nor false", but every example for "both true and false" I've
seen is based on lousy thinking and semantic games.

Also, as a JS programmer, the distinction between true/false/neither/ineffable
is very familiar (i.e.: true/false/null/undefined, null denoting the absence
of a value and undefined denoting the absence of a definition -- though of
course in practice the distinction is rarely necessary resulting in a lot of
confusion and unnecessary double checks).

It's got nothing to do with "mysticism". It's just arm chair linguistics.

------
IkmoIkmo
Paypal should literally pay upwards of $100k for a bug like this. This is a
game changing systemic security issue putting literally every single customer
at risk, as well as put at least a minor dent in a the brand of a $40 billion
dollar company. $10k is a joke.

Wouldn't say $10k isn't nice. Rather, I'd say that history has told us people
are susceptible to money. And if someone can choose between $10k and selling
information worth much more, let's just conservatively say without pulling
numbers from my ass, people would choose the latter option more than Paypal
ought to want them to, and that this costs them way more than the $10k they'd
otherwise lose. I think that's a pretty fair statement.

Anyway, about the issue itself... Really don't know what to think, it's pretty
insane, puts a lot of things into perspective once more. (the whole 'if Paypal
can't secure xyz, can my local hospital keep my health records safe, am I
equiped to handle my own digital security responsibilities?' train of
thought).

Oh if anyone feels like thinking this through, how bad do you guys think this
hack could have turned out if deployed by a malicious group? Paypal is pretty
walled in with various limits, fraud checks, frozen accounts, multi-day bank
transaction processing, reversible transactions, partnerships with banks to do
chargebacks there, and they do KYC on every account. The offramps are
therefore pretty limited unless you completely expose your identity. Of course
they could buy a ton of stuff online, but how anonymous would the shipping be,
and what could you buy with Paypal that would be liquid enough, would ship
quickly and could be received fairly anonymously (you don't want to use this
hack and end up with 100 playstations and on 3-day shipping to your own home
and have police arrive before the goods do!). I wonder what the best plan of
action would be, I can't really come up with any solid way to actually walk
away, anonymously, with a ton of money but surely there must be one. Indulge
me if you want!

~~~
peteretep
Their bug bounty is $10k, plus you get to talk about it, plus you don't go to
jail. That's a pretty compelling package when compared to the $100k but your
suspicious activity is forwarded to the cops.

~~~
logn
Plus you don't have to figure out how to hide $100K on your taxes.

~~~
toolz
I personally would take the 10k because the reputation from finding a bug like
this alone is worth more than that, but pretending I wanted to go black
market, I can't imagine it would be particularly hard to launder money as long
as you paid the taxes that came with that money.

------
dmix
Reminds me of how PayPal implemented 2FA, then someone immediately found a
bypass since they only made 2FA a requirement for a particular web login page
instead of EVERY login entry-point (ie mobile or APIs). PayPal's security
continues to be embarrassingly bad.

~~~
pm90
They're not laughably bad, they have had to manage a huge, aging software
system and build infrastructure on top and around it.

They may have made many mistakes, but some of the smartest people I know work
there, and most of the work they do is first-class.

~~~
dmix
> most of the work they do is first-class

Are we talking about the same PayPal?

Have you seen their web interface or their APIs? It hasn't evolved at all in
10 years. It's the same convoluted, bloated, and slow web experience as it was
in 2005. Just because a few smart people work there doesn't mean the project
is outputting quality software.

Countless software companies have been able to take aging and massive
codebases and evolve them to more modern usable states. Most of the time these
big companies such as Microsoft or Oracle still output bad software but at
least they show signs of evolution and investment. From an outsiders
perspective Paypal is particularly bad at this, their software quality and UX
has been in a perpetual stasis while Stripe and others eat their lunch. And
that's not simply because of their famously bad customer service.

~~~
thibaut_barrere
I'm not a PayPal fan - but at least on my account, the UX has changed
significantly since 2005 (especially last year or something), and I could find
everything I need for my accounting easily.

~~~
ericcholis
The general consumer interface is great now. The business interface, however,
is not. It's still the same slow UI from 2005. Actually, it feels like they
are still running on servers from 2005. Simple (email, date range, etc...)
searches take FOREVER.

~~~
iancarroll
The business interface is also upgraded unless you decided to opt out.

~~~
ericcholis
Can't say I noticed an opt-in, thanks for the info.

~~~
iancarroll
Ah, I thought I was automatically upgraded but it was a while ago.

------
downandout
I think I speak for us all when I say ???????!!!!!!!. This exploit is as big
as they come. They should have paid him many times their $10k maximum bounty
in exchange for an NDA, as I am sure I am not alone in saying that this shakes
my confidence in PayPal. While I have never trusted them as far as random
account freezings etc., I didn't ever expect something as fundamental and
serious as this. When you think of all the engineers they must have dedicated
to security, it is almost unfathomable that this was missed.

~~~
oxalo
Security is hard. I think the more important thing here is that Paypal fixed
it quickly and honored the bug bounty. I'd be more worried if they tried to
shove it under the rug.

~~~
downandout
> _Security is hard._

Secuirty _is_ hard. But activating tokens before a user has actually logged in
is a breathtakingly incompetent, fundamental design flaw. How such code ever
made it into the production code base of a company responsible for protecting
billions of dollars along with financial information for a significant portion
of the world is incomprehensible. It makes me wonder what else is lurking over
there.

------
Globz
10K for this kind of vuln is very cheap on their part.

This is serious when you consider that they are moving millions of
transactions every day...

CSRF valid for ALL users, ouch!

~~~
ripb
If it's any consolation, 10k USD is about 14x the median monthly salary in
Egypt.

[http://sites.miis.edu/educationinegypt/files/2013/05/CIEsala...](http://sites.miis.edu/educationinegypt/files/2013/05/CIEsalaryEgypt.pdf)

~~~
hobs
Consider what the finder could have sold the exploit for, and the damage it
could have caused.

I think given that you could effectively steal from any account for which you
knew the email was worth significantly more than 10k.

~~~
Mahn
> you could effectively steal from any account for which you knew the email

If you succeed in CSRF attack him, that is.

------
lost_name
Paypal's Bug Bounty program, for the curious:
[https://www.paypal.com/webapps/mpp/security/reporting-
securi...](https://www.paypal.com/webapps/mpp/security/reporting-security-
issues)

~~~
talles
Paypal detects that I'm in Brazil and gives me the brazilian version of the
website, in which the link is 'Not Found'.

There is no locale on url whatsoever. I have to manually change my country to
United States in their menu and then I'm able to access the url. So annoying.

Why not showing the page with a simple warning such as "Sorry, we don't have
this content in your language, here's the original:"...

~~~
rtpg
From what I've understood about Paypal, international entities are more or
less completely separate from Paypal US (hence these sorts of events).

Commonly it was API features that work subtly differently depending on the
region of the world you're in, but help pages also end up with completely
different URL schemes.

~~~
fiatjaf
They cannot be: I had an account at the american Paypal and it was
automatically transferred to Brazil when they opened here.

~~~
jotm
Huh, they just told me to open a new account in Europe...

------
jrochkind1
Oh man. Security is hard, and I expect security flaws to be found in almost
any software.

But these don't _seem_ to be flaws that you'd have if you were spending as
much money/resources/prioritization on security as I'd expect a business in
Paypal's business to be spending.

Am I wrong?

~~~
beachstartup
well, by definition you're wrong.

it wouldn't surprise me if companies such as paypal have moles who actively
compromise software through subtle means. if it can happen in the government
it can definitely happen in a huge software company.

~~~
lostcolony
Possibly even -by- the government. No tinfoil hat needed; thanks, NSA!

------
codegeek
Thanks for this. Another reason for me to get off Paypal as fast as I can. I
understand that vulnerabilities can exist with any system but Paypal just
continues to amaze. Unfortunately, I still have 3 customers on paypal :(

------
Nanzikambe
Anyone know what the interception proxy/tool he's using in the screenshots is?
I could really have used that a few days ago

~~~
chilgart
It's Burp Suite. [http://www.portswigger.net/](http://www.portswigger.net/)

------
user1024
Scary stuff. My Paypal was compromised earlier this week; wondering if this
vulnerability or one like it was used.

------
thekylemontag
I can only imagine how much money he got for this one. Very serious bug given
how easy it was to reproduce.

~~~
aligajani
Says in his blog comments he got paid $10,000

------
lcfcjs
Should have used js, fuckin noobs

