Premiums
TRUSTED VENDOR
- Joined
- Dec 5, 2020
- Messages
- 3,162
1—Reusable CSRF Token
Alright, so here’s the wild part: PayPal’s CSRF “Auth” token—you know, the little string that’s supposed to keep every request legit? It’s supposed to change with every single client action, right? That’s what you’d expect, at least. But after poking around, I realized the token actually sticks around for each user’s email or username. So, if some scumbag gets their hands on your CSRF token, they can basically do whatever they want, acting like they’re you. Kinda scary. Only catch? There’s no obvious way for someone to just snatch your “Auth” value from your session. So, interesting, but not instantly game over… yet.
2—Bypassing the CSRF Auth Framework
So, PayPal’s CSRF Auth checks every request. But imagine this: some random attacker who isn’t even logged in tries a “send money” thing. PayPal’s like, “Cool, gimme your email and password.” The attacker just throws in the victim’s email and literally any password—doesn’t matter if it’s correct. Then, they intercept the request and—surprise!—there’s a valid CSRF Auth token in there. This token? It’s reusable. It can validate actions for that specific user. Dig a little deeper and you’ll find that attackers can even score a CSRF Auth token that works for ANY user, just by grabbing it from a POST request on a certain page—seriously, check out “https://www.paypal.com/eg/cgi-receptacle/webscr?cmd=_send-cash”. Right there, logged out and everything. Now the attacker can CSRF pretty much any request as if they’re the real user.
Oh, and about changing passwords—turns out, attackers can’t mess with your password unless they know your security questions. Good news! But then again, you can’t change your own security questions without your password, so… I guess that’s fair?
3—Bypassing Security Questions Change
Now here’s where it gets extra spicy: when users first set up their security questions during account creation, the whole thing isn’t even password-protected. That’s right. And even better (or worse, depending on who you are), that setup request can be reused. So if someone’s already got their evil hands on a CSRF Auth token, they can just submit that same request, reset your security questions, and never need to know your password. Yikes.
So, bottom line? An attacker who puts the pieces together can pull off targeted CSRF attacks on PayPal users and totally hijack their accounts. Like, full control. They can:
1. Add, remove, or confirm email addresses
2. Add new “trusted” users to a business account
3. Change your security questions (duh)
4. Mess with your billing or shipping address
5. Swap out payment methods
6. Fiddle with your account settings, notifications, mobile stuff—you name it.
And honestly? Who knows what else. The sky’s the limit, apparently.
Alright, so here’s the wild part: PayPal’s CSRF “Auth” token—you know, the little string that’s supposed to keep every request legit? It’s supposed to change with every single client action, right? That’s what you’d expect, at least. But after poking around, I realized the token actually sticks around for each user’s email or username. So, if some scumbag gets their hands on your CSRF token, they can basically do whatever they want, acting like they’re you. Kinda scary. Only catch? There’s no obvious way for someone to just snatch your “Auth” value from your session. So, interesting, but not instantly game over… yet.
2—Bypassing the CSRF Auth Framework
So, PayPal’s CSRF Auth checks every request. But imagine this: some random attacker who isn’t even logged in tries a “send money” thing. PayPal’s like, “Cool, gimme your email and password.” The attacker just throws in the victim’s email and literally any password—doesn’t matter if it’s correct. Then, they intercept the request and—surprise!—there’s a valid CSRF Auth token in there. This token? It’s reusable. It can validate actions for that specific user. Dig a little deeper and you’ll find that attackers can even score a CSRF Auth token that works for ANY user, just by grabbing it from a POST request on a certain page—seriously, check out “https://www.paypal.com/eg/cgi-receptacle/webscr?cmd=_send-cash”. Right there, logged out and everything. Now the attacker can CSRF pretty much any request as if they’re the real user.
Oh, and about changing passwords—turns out, attackers can’t mess with your password unless they know your security questions. Good news! But then again, you can’t change your own security questions without your password, so… I guess that’s fair?
3—Bypassing Security Questions Change
Now here’s where it gets extra spicy: when users first set up their security questions during account creation, the whole thing isn’t even password-protected. That’s right. And even better (or worse, depending on who you are), that setup request can be reused. So if someone’s already got their evil hands on a CSRF Auth token, they can just submit that same request, reset your security questions, and never need to know your password. Yikes.
So, bottom line? An attacker who puts the pieces together can pull off targeted CSRF attacks on PayPal users and totally hijack their accounts. Like, full control. They can:
1. Add, remove, or confirm email addresses
2. Add new “trusted” users to a business account
3. Change your security questions (duh)
4. Mess with your billing or shipping address
5. Swap out payment methods
6. Fiddle with your account settings, notifications, mobile stuff—you name it.
And honestly? Who knows what else. The sky’s the limit, apparently.
