PayPal is a well-known online payment service and a company which runs a bug bounty program. We’ve participated in their bug bounty program and we’ve discovered a very critical security issue on their main domain www.paypal.com. We’ll now write something about the reporting-process and the vulnerability itself. This article should show that big companies are not 100% secure and can also suffer from critical vulnerabilites.
Paypal is an online payment services provider who enjoys world-wide populiarity. Paypal was founded in 1998 and was taken over by eBay in 2002. Today it has more than 230 billions of registered users and a lot of websites and/or online shops offer Paypal as a payment method.
The issue we’ve discovered is called a “path traversal” vulnerability (reffered to as “Directory Traversal”). The concept of this vulnerability type is that unauthorized people can display and download abitary files from the server. The attacker only needs to know or to brute-force the path to a specific file which he wants to download. The vulnerability existed in the function “_getnbinternal” of paypal’s API. This API call is being used to include different files in the sourcecode of some paypal websites. For example:
Further tests of this url and espacially the “path” parameter showed that it was possible to manipulate the path to the included file using “./” and “../”. After some relative traverses, we reached the the root-folder (/). We know that unix systems provide a “/etc/passwd”, which can be read by every user. With that knowledge we were able to download the /etc/passwd file from one of paypals main server! PWNED ;)
A few months ago this link was a critical vulnerability, which allows you to download system data, today this issue is fixxed.
All big operating systems (for example Windows and Linux) have standard system files which you can read, there are often located in the same path.
After this first impression we decided to not to be a bad boy and to responsibly disclose the vulnerability to paypals security team. After some days we received a very sobering response which stated that this issue is invalid. But we’re all humans and we know that humans make mistakes. In opposite to the Facebook-Hacker “Khalil Shreateh” we wrote a completely new email with all technical details and we included the download links to the /etc/passwd and httpd.conf (apache config file) files. In addition we answered their question “How this vulnerability can harm their customers”.
In the end it took us 3-5 clarifying emails to convince PayPal to treat the vulnerabilty in scope of their bug bounty. Afterwards we thought that PayPal would fix this problem asap. They proofed us wrong, because they fixed it three months later.
All in all the communication was a bit slow. This bug submission was rewarded by paypal with a 4-digit bounty.
The first fix was a filter, all events with “./” and “../” were replaced with None (“”). This implemantation still was faulty, so it was possible to bypass the filter. The bypass was simple, because you just have to replace the statements like this:
- ”./” => “..//”
- ”../” => “….//”
- ”/” => “//”
The new URL to the system files looked like:
It could also be possible to brute-force the pathes and find some more critical data. If there would be some backups from user data, a bad guy may would be able to download them. The lost of confidentiality would be very impressive, like you can see in former times at the Playstation Network hack.
We contacted Paypal again and told the security team that it was possible to bypass the filter. The security support opend a new case and fixed the vulnerability within the next months.
At last there were some misunderstandings about the amount of the bounty payment. In the bugbounty program ToS it is mentioned that every vulnerability on the main domain paypal.com would be rewarded with at least 750$, but there have only been associated 500$ to this specific bug on the reward panel. After contacting the security team again, they apologized for their mistake and corrected the bounty sum. All in all this bug was worth a 5-digit payment.
We would like to thank PayPal for their great BugBounty program and the official listing in their “Wall of Fame”: https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention