Vulnerabilities

PayPal Patched OAuth Token Leaking Vulnerability

Sharing is caring!

imagesp

Paypal has patched a phishing vulnerability that could allow attackers to steal any OAuth token for its payment apps and gain access to accounts.

The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client.

He found PayPal’s authorisation server setup to handle OAuth token requests via the developer Dashboard could be manipulated to accept localhost as a redirect_uri where tokens should be shipped.

According to Sanso , the vulnerability found from an error PayPal made when it implemented the OAuth. Developers with the company had set it up to accept any client. In this case Sanso used localhost, the standard hostname given to the local computer a program is running, as redirect_url, the address used by OAuth providers to deliver access tokens, via browser redirect.

Sanso showcased the redirect_uri flaw by altering requests made by the Paypal OAuth demonstration app, which set the actual registered redirect_uri to https://demo.paypal.com/loginsuccessful&.

https://www.paypal.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20email%20address%20phone%20https://uri.paypal.com/services/paypalattributes%20https://uri.paypal.com/services/paypalattributes/business%20https://uri.paypal.com/services/expresscheckout&redirect_uri=https://demo.paypal.com/loginsuccessful&nonce=&newUI=Y

He then inked a DNS entry for http://localhost.intothesymmetry.com to capture requests

https://www.paypal.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20email%20address%20phone%20https://uri.paypal.com/services/paypalattributes%20https://uri.paypal.com/services/paypalattributes/business%20https://uri.paypal.com/services/expresscheckout&redirect_uri=http://localhost.intothesymmetry.com/&nonce=&newUI=Y

“So it really looks like that even if Paypal did actually perform exact matching validation, localhost was a magic word and it override the validation completely,” Sanso says.

Sanso, discovered this issue back in September but it took some time to get the issue resolved. Following a back and forth with the company – and radio silence for the month of October – PayPal informed Sanso on November 7 that it had fixed the issue.

He says developers using OAuth must register full exact redirect_uri addresses with no second stage redirects to protect their apps.

Join The Discussion