An Egyptian student figured out how to bypass PayPal’s security methods to completely take control of user accounts by changing their passwords. Yasser Ali, a self-described “former hacktivist” and information security student who works by day as a mechanical engineer, found and reported the security flaw.
Ali says that PayPal addressed the issue “very fast” when he contacted them. His reward for finding the flaw and reporting it to the digital payment service, he says, was $10,000.
The engineer posted his findings in a blog post, saying the hack was capable “with one click.” Sneaking into a customer’s account required them to click on a link that he said could be embedded in an email disguised to look like it had come from PayPal.
PayPal’s forgery protection service uses “authentication tokens,” or simple codes sent to its customers that are changed every time the user clicks. However, Ali found that each token could be reused, as long as PayPal thought it was coming from the customer it was issued to. By intercepting data between PayPal and the user, an attacker could trick the service into allowing them to add email addresses and even change security questions, which would allow them to set a new password, and take over the account completely.
Update: “One of our security researchers recently made us aware of a potential way to bypass PayPal's Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern," a PayPal spokesperson said.
A number of security experts have alerted PayPal to flaws that could compromise customers’ accounts. Most recently, a security company disclosed a threat capable of overriding PayPal’s two-factor authentication.
Auction site eBay Inc. bought the service in 2002, and now has plans to spin it off. Ali produced a video showing how the hack could have, in effect, allowed an attacker to take over someone's PayPal account, which is embedded below.