Document Title: =============== PayPal Inc - Security Key Pin Approval & Expire Bypass Date: ===== 2018-06-25 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1666 VL-ID: ===== 1666 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Insufficient Session Validation Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Core Research Team discovered a session vulnerability to expire in the official PayPal Inc online service web-application. Report-Timeline: ================ 2018-06-26: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A vulnerability has been discovered in the official web application of PayPal Inc. in the approval of security keys. This problem allows you to bypass the basic duration protection of the SMS pin session. The SMS pin for the security key has no expire within the called time in the SMS. The text message says that the pin becomes invalid after 5 minutes. We have the validation of the security key pin and discovered the following error. We validated the pins several times after 30 minutes. So we requested 10 pins for one phone. After that, we will Wait 20-30 minutes. Then we use the first pin that arrived, which should have expired 20-30 minutes ago. This also works if the pin then we switch back with the browser and insert the last pin of the 10 sms. This works the way we did. is able to check whether the duration is implemented but not successfully activated. In the video demonstration we show you how you can test for the security key Pin expire procedure. Normally all pins must be invalid after 5 minutes, we finally used them after 20-30 minutes. Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low privileged web-application user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the security vulnerability ... 1. Register a paypal account 2. Include a phone number 3. Issue a security key pin (multiple times) 4. Go to the mobile sms inbox 5. Wait 20-50 minutes 6. Include the first arrived pin code to the browser session 7. Save the entry and the number is verified successful 8. Switch in the browser back to the last page 9. Now you can include another pin codes that arrived (not last!) 10. After saving the security key is verified by pin 11. Successful reproduce of the vulnerability Note: The request form has no limitation for processing to request pins. The pins also does not expire in the announced conditions of 5mins like in the sms text. The page allows to switch back and use another pin code like demonstraed in the video. All that interaction demonstrates that the duration limitation is broken configured. The pin codes must expire for security reason after 5 minutes! Why do security pins expire ... The reason why a security pin expires after a specific duration of time is that the service should not validate more then one pin on multiple entries by one session.Thus evades the concept of security and also the main protection mechanism. In the paypal sms is a notify to the accountholder that the pin expires within 5minutes. This behavoir has been approved by our security team and we can confirm finally that the pin code is not limited by time duration. Thus can allow an attacker to use a requested pin after the duration of time. The attacker can also issue multiple pins by sms and evades the control by choosing the token he wants to use to include. After usage of another earlier requested pin the session token does not expire and allows to request in that case multiple times via paypal website. Solution: ========= The security vulnerability can be fixed by setting the pin to expire after 5 - 10 minutes like mentioned in the paypal service notify emails. The issue has been reported 2016-10-02. The issue was resolved until 2017 Q4. The disclosure process took about 1 year (12 month). Risk: ===== The security risk of the pin session expire web vulnerability in the paypal inc application is estimated as medium (CVSS 4.3). Credits: ======== Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™