Skip to main content

PayPal takes 18 months to patch remote execution security flaw

PayPal has taken more than 18 months to patch a critical vulnerability that enabled attackers to load script and remotely execute arbitrary code to access local web server files.

The flaw was recognised as “critical” by security research team Vulnerability Lab earlier this month and affected the core PayPal profile application.

Read more: PayPal ad hits out at Apple Pay’s security following celeb leak

The system specific code execution was exploitable with only a low privilege PayPal account and did not require user interaction.

In a post online, founder of Vulnerability Labs Benjamin Kunz Mejr outlined some of the key details regarding the remote code execution flaw.

"Successful exploitation of the vulnerability results in unauthorized execution of system specific codes, webshell injects via POST method, unauthorized path/file value requests to compromise the application or the connected module components," he wrote.

"The system specific arbitrary code execution vulnerability is located in the developer API portal with connection and account access to the PayPal portal API."

During his investigation, Kunz Mejr also discovered a filter bypass and persistent bugs in the same vulnerable parameter location.

Hackers could use the vulnerability to send a local request within a trusted context in order to secure sensitive information or deploy webshell injects.

PayPal was originally informed of the security flaw back in April 2013 but did not issue a patch until 25 October this year, alongside a reward through eBay’s bug bounty programme.

Read more: PayPal and eBay to go their separate ways in 2015

The case is not the first time that Vulnerability Labs has discovered a flaw in PayPal’s security systems. Earlier in the year, researcher Ateeq Khan found a medium-level vulnerability in the company’s shipping service that enabled hackers to inject malicious code into the platform.