From Flaw to Exploit

I came across the following post by Netcraft: PayPal Security Flaw allows Identity Theft, and I was wondering HOW long would it take me to find the flaw fraudsters were using (or any other flaw) to cause a cross site scripting vulnerability?

Well amazingly enough it took me less than 5 minutes.. here is my recipe on how I found it:
1) Google.com
2) Use screenshot content
3) Find a legit question regarding this error
4) Find an active PayPal account (email)

1) Google.com
Use google.com to look up “PayPal – Error Detected” (URL) as the screenshot’s title says. Access that page… wonder what parameter was flawed… hrm… no luck…

2) Use the screenshot content
Notice that the screenshot’s content is a bit more than just… “PayPal – Error Detected”… it also talks about currency issue?! … find a “PayPal – Error Detected” problem (URL) where currency is involved

3) Find a legit question regarding this error
Use again google.com to find more than one person trying to solve this error, follow the sample links they provide to what they tried to do, and how it was caused, try all the parameters they supplied for cross site scripting… hint hint… Find the cross site scripting vulnerability… come empty handed… and come to the conclusion that…

4) Find an active PayPal account (email)
For the exploit/problem to work, you need to have at least one valid PayPal email account, supply that in the step 3′s URL and you are home free.

Total time involved in finding the hole less than 5 minutes. Total time it should have taken PayPal to close the hole less than 5 minutes including QA.

NOTE: I won’t provide the URL that triggers the error, I found 4 variations that cause an CSS issue, i.e. different parameters, different combinations all causing the an CSS issue, the readers are more than welcomed to find them out by themselves, the bad guys have already done it

NOTE: I don’t think you can blame Netcraft, they did try to hide the problem, they neglected though to better hide the URL, the x**ck was a nice hint, the title of the page was good info as well, but the best lead for me at least was the content of the page – “This recipient does not accept payments denominated in US”.

Share
  • http://goukihq.org Gouki

    Nice work (-;

  • sunshine

    Ignoring patch2exploit time, as this is not what’s discussed, here is a good and recent example for how this works:
    ISS releases a generic advisory about a vulnerability in sendmail, no details. A few hours later Dave Aitle “pops it” and sends the information on his mailing list.
    I can bring many other examples of “I know of an issue with that site or..” and withholding data, which is found when looked shortly after.

    This should be about how silly and annoying it is to release only the face-value of the information, while the Bad Guys already have it, for the semblance and mear appearance of being more ethical.

  • sunshine

    More amazingly, that “nice work” comment was not comment spam!

  • http://networksecurity.typepad.com/ Juha-Matti

    This news published later on Friday says they have fixed this serious flaw:
    http://news.zdnet.com/2100-1009_22-6084974.html

    referring to interview of PayPal spokeswoman Amanda Pires.

  • noam

    I tried the variations I found, they still work, maybe they are unaware of them? In any case they aren’t fixed.

  • http://networksecurity.typepad.com/ Juha-Matti

    Maybe PayPal (eBay Inc.) people have to start reading SecuriTeam Blogs frequently.

  • Pingback: SecuriTeam Blogs » Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities