Results 1 to 2 of 2

Thread: PayPal CSRF: Change Primary Phone Number Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Cool PayPal CSRF: Change Primary Phone Number

    Hello guys, finally the website site is up and running, like Vivek Ramachandran would say - Hello SecurityTube..Err...Garage4Hackers (no-offense )

    I will share my finding about a CSRF that I discovered on PayPal, reported to them as a part of its bug bounty program and has been fixed by them with $750 Reward.

    So this is a bit critcal cross-site request forgery that forces a user’s primary phone number linked with his PayPal account being changed by hacker’s choice

    Now let’s jump to the vulnerability details, PayPal has a webpage that allows anyone to verify their phone number by sending a confirmation code.

    Name:  page.jpg
Views: 748
Size:  49.5 KB


    When a phone number is added to the text box and “Send Code” is hit, a POST request is sent to PayPal’s server with phone number, then account’s phone number gets changed with the one specified in the text box.The problem exists when POST is sent to the server, there are no mitigations in place to check authenticity of request being made. So to exploit this scenario an attacker would have setup a webpage, containing code to send a legitimately looking POST request to PayPal server when the page is viewed by the victim which is logged into his PayPal, his account phone number would change.

    After all these happened the attacker can easily reset the password, with a requirement that he knows secret questions of victim or his bank account number linked to PayPal. Attacker would initiate a password reset request for the PayPal ID and then select the method of ”Ownership by Phone“.

    Name:  phone_num.jpg
Views: 600
Size:  43.1 KB

    Automated call will be made to the “newly” added phone number from PayPal asking for code that would be displayed on Forget Password Screen after the call has been initiated from PayPal’s system.Once the attacker press the numbers displayed on webpage on the phone keypad when asked, he can proceed to the next step of resetting the password.

    Name:  verify_additional.jpg
Views: 2366
Size:  37.9 KB

    Then attacker needs to answer security questions or bank account number and then he can reset the password.

    VIDEO POC:



    Originally posted on http://www.securitypulse.co/
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    nic3 1 bro............................................... ..
    Add me on Yahoo at
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •