A pentester has published a tutorial on how he was able to hijack PayPal accounts by using Flash. He explains that he was capable of hijacking the PayPal accounts by using the “Attach a file” option which is available at the PayPal.com domain. He continues to explain that he uploaded a .SWF file which had an payload attached to it.
The payload looks like this:
<object style=”height:1px;width:1px;” data=”http://victim.com/user/2292/profilepicture.jpg” type=”application/x-shockwave-flash” allowscriptaccess=”always” flashvars=”c=read&u=http://victim.com/secret_file.txt”></object>
He explains that he used the Detectify Blog tutorial to get a better understanding of how to exploit and test the “attach a file” and “upload” modules on websites. The pentester also explains that PayPal is using a crossdomain.xml file which allowed him to upload his payload to any environment which is hosted on the paypal environment.
He explained his findings to the PayPal security team, and they claimed that it was an duplicate report and that he will not gain the bounty. The fun fact is that the PayPal team had left this vulnerability available while they KNEW that this vulnerability was available on the PayPal domains.
The Pentester stated the following about his findings and the communication with PayPal:
I don’t know what to think here. I know that researchers sometimes find the same bugs, but I think PayPal needs to handle what they’re calling duplicate reports a little better. Evidence of the duplicate report ever existing would go a long way towards making me think they’re not just trying to screw me out of $10,000. (Edit: I made it sound a bit too much like I think they cheated me out of the bounty. I think it’s probable this was legitimately a duplicate, it’s just I have no evidence and it would be cool if I did.) All in all, I’ll keep doing bug bounty programs, but I’ll probably stay farther away from PayPal in the future.