PayPal, currently owned by eBay, is one of the most popular methods for moving money online. Of course, as Microsoft knows from Windows, with popularity comes problems.
People are going to poke and prod in an effort to find soft spots. Sometimes the intention is to help fix things, sometimes to exploit the problems.
Security researcher Yasser Ali is on the good side, but he still has released details of a vulnerability that shows how easy it can be to hack PayPal. However, before you get all worked up, the payment service fixed the problem before Ali announced it. It also paid him in gratitude for the information.
The problem arose from CSRF tokens, which authenticate each request made by a customer. Every request generates a different token, but Ali found that previous ones could be reused. That sounds difficult, as the attacker needs that code.
However, according to Ali, "If an attacker 'not logged in' tries to make a 'send money' request then PayPal will ask the attacker to provide his email and password. The attacker will provide the 'Victim Email' and ANY password, Then he will capture the request, The request will contain a Valid CSRF Auth token which is reusable and can authorize this specific user request".
It gets worse - "After further investigation, I have noticed that the request of setting up the security questions 'which is initiated by the user while signing up' is not password-protected, and it can be reused to reset the security questions up without providing the password.
Hence, armed with the CSRF Auth, an attacker can CSRF this process too and change the victim’s Security questions".
While all this sounds menacing, at least it's fixed and PayPal acted quickly. We've seen, in the past, cases where the company ignored findings, leading to the researcher announcing details while things were still vulnerable.