Researcher discovers vulnerability in PayPal

Researcher Michael Stepankin has found a vulnerability in PayPal. Taking advantage of the vulnerability, it was possible for Stepankin to execute system commands on the PayPal servers.

Stepankin says he found the remote code execution vulnerability on one of PayPal’s corporate websites. The vulnerability allowed him to execute arbitrary shell commands on the PayPal servers thanks to insecure Java object deserialization. This gave him access to PayPal’s production databases. He reported the vulnerability to PayPal, whereupon the company resolved the vulnerability and compensated Stepankin.

In December 2015, the researcher was conducting security tests of the manager.paypal.com website when he learned that it was possible to execute arbitrary control commands on the PayPal web servers. Stepankin was also able to connect to his own internet server, and upload and use a backdoor, for example. To demonstrate the vulnerability, Stepankin copied the “/etc/passwd” file to his own server. He also made a video in which he uses the Java Object Deserialization vulnerability.

PayPal states that the vulnerability was greater than anticipated. The cause of the vulnerability is Java applications that nevertheless deserialize suspicious data and have commons collections in their classpath. Mark Litchfield, one of PayPal’s security researchers, had reported the vulnerability several days before Stepankin reported it, according to the company. According to Litchfield, there were nine different points where the issue occurred, but PayPal claims they all had the same origin and that the issue in question has been resolved.