Paypal bug $10K – All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts

Paypal bug $10K – All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts

  • Post Author:
  • Post Category:PoC
  • Post Comments:7 Comments

In the name of Allah the beneficient the most merciful.

It’s been quite long time i wrote a blog due to some commitments , Today i would like to disclose one of my findings in Paypal which was reported via Hackerone.

This bug allowed me to takeover all secondary accounts of any paypal business account , there was an IDOR bug which gave me control over any secondary user account i want.

Paypal business accounts are used by millions of organizations worldwide and business owners
assign various privileges to secondary user accounts so as to ease their task. One of the privilege business owners give to secondary user is transfer money from paypal business account to any other account they like .  So, i used this particular privilege in describing the issue which if exploited it would have given attacker unauthorized access to transfer money from any paypal business account by taking over secondary account of users having privilege as “Transfer money”.

Steps:
Two different business accounts were needed for POC.

-> From victim@gmail.com business account i created secondary user
having username as victim1234

-> From attacker@gmail.com business account i created secondary user
having username as attacker1234

-> From attacker account after going to secondary user account
here https://www.paypal.com/businessmanage/users/1660971175791245038
( this id is for attacker1234 , from attacker@gmail.com ) and then captured the request
to edit the permission like this

PUT /businessmanage/users/api/v1/users? HTTP/1.1
Host: www.paypal.com
Connection: close

[{“id”:”1660971175791245038″,”accessPoint”:{“privileges”:[“MANUAL_REFERENCE_TXN”,”VIEW_CUSTOMERS”,”SEND_MONEY”],”id”:”4446113495″,”accounts”:[“attacker@gmail.com”]},”roleID”:0,”roleName”:”CUSTOM”,”privilegeChanged”:true,”privilegeSecondaryName”:”ttt ttts”}]

->  Now in the above PUT request the first id “it can be anything” i entered
id:”asdfjdsf”( some dummy value)  and in the  second id:446113495 , is the actual id of each secondary user which was vulnerable to IDOR.

->  This second id is incremental and enumerable as it’s only numbers.
If attacker would have changed it to 44613496(lets suppose it is id of victim1234 ) then the associated secondary user account i.e., victim1234 would have been listed to him in https://www.paypal.com/businessmanage/users .

-> This way if attacker would have just enumerated from 44613495 to 44613999 then all these secondary accounts would have been showed to him in Manage users section of attackers business account , then attacker  just needed to change the password of user via Manage users section and Game over!!
Complete takeover of any secondary account.

-> After this attacker could have login to any secondary user account having privilege as “Transfer Money” and then it would have allowed him transfer money from victim account to attacker own account .

Now Paypal remediated the issue and found no evidence of any kind of abuse associated with it.

Summary by Paypal in hackerone about the issue.

Paypal bug $10K - All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts

Thanks for reading.

Hope you enjoyed reading it.

This Post Has 7 Comments

  1. Beatrice

    An impressive share! I’ve just forwarded this onto a friend who was doing a little research
    on this. And he actually ordered me lunch due to the fact
    that I discovered it for him… lol. So allow me to reword this….
    Thanks for the meal!! But yeah, thanx for spending time to talk about
    this issue here on your internet site.

    1. admin

      Thankyou

  2. AngelBMirjah

    I am curious to discover what blog system you possess been utilizing?
    I’m having some small security issues with my latest blog and I would personally want to find something more safeguarded.

    Have you got any suggestions?

    Feel free to visit my web site … AngelBMirjah

  3. Thanks for the personal marvelous posting! I genuinely enjoyed reading it, you might
    be a fantastic author.I will make sure that to bookmark your blog and definately will
    eventually revisit afterwards. I would like to
    encourage one to continue your great posts, have got a nice morning!

    my blog post … unlined paper notebook

Leave a Reply