PayPal has revolutionized the e-commerce market in recent years with its convenient characteristics that bolster user privacy. Gone are the days when online shopping required cumbersome bank transfers or complex credit card verifications. Unfortunately there is still work to be done on the security front after Egyptian researcher Yasser Ali shocked the world with his PayPal bug finding.
This worrying discovery was made during a PayPal Bug Bounty Program where Mr.Ali exposed PayPal’s inability to deal with a rather straightforward Cross-Site Request Forgery (CSRF) exploit. He was eventually rewarded $10,000 for locating this critical loophole.
A regular starrer in the OWASP Top-10, CSRF attacks are fast gaining popularity in hacking circles. As per the Seperfecta (The top-4 types of cyberattacks executed today – SQL injection, Cross-site Scripting, Directory Traversal and CSRF) released by FireHost, CSRF attacks almost doubled from Q1 of 2012 to the Q1 of 2013.
What are CSRF attacks all about?
CSRF attacks manipulate the inability of the applications to authenticate user access. The victim first logs on to the CSRF vulnerable web application, which initiates the session and creates an anti-CSRF token. He is then free to interact with the server and perform data modifying tasks. This is where the malicious attacker enters the picture.
The malicious attacker uses social engineering techniques to make the victim click on malicious URLs containing legal commands for the targeted web application. Once the malicious URL is clicked, the web application assumes the commands are coming from the victim and performs them. The hacker is then free to perform malicious attacks.
Potential CSRF risks include:
- Impersonation and identity riding.
- Modification of application data with the victim’s credentials and permissions.
- Posting content on behalf of the victim without his consent or prior knowledge.
- Launching of organized attacks against all of the application’s users.
- Exploitation of vulnerable DSL routers.
How did Yasser Ali locate the PayPal bug?
Yasser Ali, an Egyptian security expert who likes to test the robustness of applications, accepted the PayPal Bounty Program challenge. He played around with the web application by trying to perform bogus money transfers and soon found the aforementioned PayPal bug that could have spelled disaster if discovered by malicious attackers.
The two specific issues Yasser Ali located were:
1 – The main problem was with the anti-CSRF authentication token. Just typing in any active email ID with a wrong password enabled him to intercept the valid anti-CSRF authentication token. As shown in the POC below, all Ali needed to do was to capture the POST request sent back to PayPal before the logging in process.
2 – This PayPal bug led to another finding related to the security questions of the platform’s registered users. It turned out that Ali could easily reset any user’s security questions, which were not password protected. He managed to alter user’s answers with the help of malicious Python scripts run on his private server.
Yasser Ali’s PayPal Bug POC.
Yasser Ali told Checkmarx in an exclusive Q&A that these CSRF vulnerabilities should be taken seriously as malicious attackers pounce immediately on these loopholes once they are exposed. For example, just a fake/bogus eBay sale can lure in thousands of users who are basically delivering their PayPal details straight into the hacker’s hands.
PayPal promptly acknowledged Ali’s findings, paid him the promised cash reward and fixed the problem almost immediately, assuring its customers that no accounts were compromised prior to the finding.
How can CSRF attacks be tackled and how does Source Code Analysis (SCA) help?
CSRF attacks are typically combated by using the aforementioned anti-CSRF tokens, which the user acquires once he legally logs into the application. This token is passed and validated by the server in all subsequent requests. These anti-CSRF tokens can be given to the user per-session or per-request, the second being the safer option.
Another common technique used to combat CSRF attacks is the automatic timing out of sessions. In this way, the malicious attacker has limited time to manipulate compromised accounts.
SCA helps developers in implementing the anti-CSRF token technique. After performing the scan, developers/auditors are alerted about the crucial junctions in the code structure and this is where they eventually insert their anti-CSRF solutions. This SCA testing results in robust applications that are hard to hack with the CSRF technique.
“Static Code Reviewing is mandatory from the security perspective. Companies can mitigate a lot of problems if they use Source Code Analysis (SCA),” Ali commented when asked about the importance of integrating Source Code Analysis solutions into the development process and locating vulnerabilities as early as possible.
PayPal, which was acquired by eBay in 2002, was responsible for transactions worth over $180 billion in 2013 alone. Despite plans to separate the business from eBay in 2015, PayPal is expected to remain a top acquirer in the e-commerce world for many years to come. It must hence make sure that millions of customers worldwide are safe.
The bounty program implemented by PayPal is a step in the right direction, but counting on ethical hackers alone is inadequate. Applications must be secured from the root – the source code. For a free SCA trial – Click Here.