PayPal recently resolved a cross-site request forgery (CSRF) vulnerability affecting the PayPal.me website, which could have allowed an attacker to change a user’s PayPal profile picture.
Discovered by French software engineer Florian Courtial, the bug couldn’t be easily exploited and also required user interaction. To be more precise, an attacker would have to trick the victim into visiting a website hosting malicious code to trigger HTML to submit a form and carry out the CSRF attack.
Exploiting the vulnerability would only allow an attacker to change the PayPal profile image and, given the difficulty in abusing it, the researcher was awarded a small bug bounty of only $750.
PayPal.me isn’t available in all countries where PayPal.com is. The site was designed as a public page that is linked to the user’s PayPal account and which offers an easy way to receive/send money. The page can also be used to accept donations.
Since both people and businesses rely on PayPal to send and receive money, it becomes clear why an attacker able to modify the profile image, which is displayed on the public pages associated with the account, might negatively impact the account.
PayPal.me allows users to manage a small number of settings for the page, including the displayed picture, the background color, and more. PayPal.com, however, offers full access to personal information, including the profile picture, which is used in both places.
Starting from this and using Burp, the researcher tested both sites for CSRF vulnerabilities and discovered that he was able to edit the CSRF token and to upload the profile picture without returning errors. However, when missing headers came into play, he was able to transparently submit the form without redirection.
The process did result in an error 500, due to a missing header X-Requested-With:XMLHttpRequest, the researcher explains. Courtial also notes that the header, which is not a good protection against CSRF, is difficult to exploit, but notes that the attack still resulted in a modified profile picture, despite the aforementioned error.
However, Courtial underlines that the vulnerability allows an attacker to update the profile picture of a PayPal.me user without their consent only after they click on the attacker’s link. The researcher detailed the security issue in the video embedded below.
Last month, PayPal addressed a vulnerability that could have been exploited by hackers to insert malicious images into payment pages. In March, PayPal patched a filter bypass and an application-side input validation vulnerability that allowed hackers to inject malicious code into emails sent by the payment processor.