Chemical Safety Incidents
PayPal Fixes Malicious Email Issue
Tuesday, April 5, 2016 @ 01:04 PM gHale
PayPal patched a bug in one of its service’s features that would have permitted attackers to use PayPal’s servers to send emails with malicious code.
The issue centers around a user’s ability to share a PayPal account with other people. The attacker only has to create an account, and then add the email addresses of the people he wants to share the account with. By default, PayPal will send these people an email to verify their identity.
Benjamin Kunz Mejri, security researcher at German firm Vulnerability Lab, who discovered the vulnerability, found he could add malicious code to his account’s username, which would then be sent out by PayPal’s automatic emailing application, and embedded in the emails sent to these persons.
When the email would reach its target, and the victim would open it, the malicious code would automatically execute in the victim’s email client.
A successful attack would allow a hacker to carry out session hijacking and redirection to external sources, but the most dangerous scenario would be when the user would click a link and enter the PayPal credentials on a phishing site. Since the email comes from PayPal’s official email address, most users would not suspect a thing.
The security risk of the persistent input validation web vulnerability is medium with a CVSS count of 3.8.
“Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction,” Mejri said in a post.