Profile Hijacking Exploit On PayPal.me Has Been Fixed

Whenever an online payment giant has a critical flaw, the world looks very different all of a sudden. A vulnerability in the PayPal.me site has been patched recently. By using this exploit, an assailant could change a user’s profile without needing their permission to do so. Not a good way to advertise this third-party service, albeit no major harm has been done in the process.

PayPal.me Was Vulnerable To Profile Hijacking

It remains unclear as to how long this vulnerability has been present in the PayPal.me platform, which was launched in 2015. Security researchers came across this cross-site request forgery vulnerability earlier this week. Florian Courtial, the person responsible for identifying this bug, has been conducting white hat hacking for Slack and Trello in the past.

As it turns out, the CSRF token could be removed or edited, allowing assailants to update a user’s profile picture. However, submitting the form without redirection is not possible due to missing headers. Then again, having the ability to change someone’s user profile picture without their consent is worrying enough.

But there is more, as it does require a user action to trigger this particular attack. If the potential victim did not visit a malicious site hosting the CSRF exploit code, no harm would be done. In a way, this would not have been a serious threat by any means, as changing a profile picture is not harmful in any way.

The only real damage that could be done through this exploit is posting embarrassing photos of that person on their PayPal.me profile page. This would diminish the success of this professionally designed payment tool quite a bit. After reporting the bug to PayPal, the team quickly fixed the flaw and awarded Courtial with a US$750 bounty.

It is not the first time PayPal is fixing a worrisome bug on their platform. Earlier this year, the PayPal.com platform was plagued by a different vulnerability which would let attacks create a backdoor on the company’s servers. Luckily, that threat was eliminated rather quickly as well.

Image credit 1

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.