PayPal Vulnerability Publically Disclosed

paypal_hackedIndependent bug bounty researchers have just publicly disclosed a vulnerability affecting PayPal’s MOS (Multi-Order Shipping) Web Application. The vulnerability allowed researchers to inject malicious code into the “Preset Name” field while using the application to create a new shipping preset.

PayPal Corporation was privately notified of this vulnerability prior to public disclosure, and as of May 10th, 2014 it has been patched.

How this vulnerability was exploited

To clarify, there are no reports that indicate that this vulnerability was or is being exploited by criminals. Fortunately, it was discovered by white-hat researchers at vulnerability-lab.com. Details of their proof-of-concept exploit can be found in this publication.

According to the disclosure, the discovered vulnerability allowed researchers to inject malicious code into one of the form fields customers are presented with when ordering from merchants with the PayPal MOS Web Application. The injected code would then be executed when merchants opened their order forms. In testing, executed code was designed to drop a benign payload; but, in theory it could have been designed to drop malware and to steal merchant funds.

Researchers performed this proof of concept attack with dummy accounts, and only a low-privileged user account was needed to carry out the exploit.

Should I be worried about my PayPal account?

Short answer: No.

PayPal has patched the vulnerability and it can no longer be exploited.

Long answer: Yes.

But only because you should always be a little cautious about your online funds.

Readers who’ve taken a glance at this vulnerability’s official public disclosure might find it somewhat alarming that initial notification to PayPal occurred on August 8th, 2013 – a full 9 months ago.  So far, there are no reports that indicate that this vulnerability was exploited during that time.

Watch out for phishing attacks

In the days that follow this disclosure, it is likely that PayPal will issue an official statement to its customers. It is also likely that cybercriminals will use this as an opportunity to create phishing emails and landing pages that play off the disclosure’s hysteria. Such phishing messages and websites are used to steal your credentials and even infect your computer with financial Trojan malware like Zeus.

Don’t become a victim. If you receive anything from PayPal – or someone pretending to be PayPal – it’s best to avoid clicking the provided link and navigate to the real PayPal.com on your own.

Can Emsisoft protect me from things like this?

We try our best to notify our users of important vulnerabilities affecting major websites, software, and service providers. Additionally, the Emsisoft Internet Security pack comes with our Online Armor Firewall, which allows users to run a fully-protected Banking Mode for secure online banking.

This capability will also be included in the upcoming Emsisoft Internet Security 9, our first ever fully integrated Internet Security Suite which is now available for beta download and testing: emsi.at/beta9

Have a Great (Vulnerability-Free) Day!