How to Hack PayPal Account


paypal-hacking




Mr. Yasser tells that How the security breach in paypal and hackers can hijack account just single click. He mentioned in his blog.
In the POC Video Mr. Yasser successfully bypassed the PayPal security to generate exploit code for targeted attacks.

1- Reusable CSRF Token:
The CSRF token “that authenticate every single request made by the user” which can be also found in the request body of every request with the parameter name “Auth” get changed with every request made by user for security measures, but after a deep investigation I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user.
Hmm, it seems interesting but still not exploitable, as there is no way for an attacker to get the “Auth” value from a victim session.

2- Bypassing the CSRF Auth System:
The CSRF Auth verifies every single request of that user, So what If an attacker “not logged in” tries to make a “send money” request then PayPal will ask the attacker to provide his email and password, The attacker will provide the “Victim Email” and ANY password, Then he will capture the request, The request will contain a Valid CSRF Auth token Which is Reusable and Can authorise this specific user requests. Upon Further Investigation, We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users, by intercepting the POST request from a page that provide an Auth Token before the Logging-in process, check this page for the magical CSRF Auth “https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money”. At this point the attacker Can CSRF “almost” any request on behave of this user.

pphacking1

The application generates a valid “Auth” token for a logged-out user!
Through examination of the password change process, he found that an attacker can’t Change the victim password without answering the Security Questions set by user, Also the user himself can’t change the security questions without entering the password!

3- ByPassing the Security Questions Change:

pphacking2

The initial process of “setting” security questions is not password protected and is reusable.
After further investigation, noticed that the request of setting up the security questions “which is initiated by the user while signing up” is not password-protected, and it can be reused to reset the security questions up without providing the password, hence, Armed with the CSRF Auth, an attacker can CSRF this process too and change the victim’s Security questions.
At this point, An attacker can conduct a targeted CSRF attack against a PayPal users and take a full control over his account.
Hence, An attacker can CSRF all the requests including but not limited to:
1- Add/Remove/Confirm Email address
2-Add fully privileged users to business account
3- Change Security questions
4- Change Billing/Shipping Address
5- Change Payment methods
6- Change user settings(Notifications/Mobile settings) ………… and more.
To automate the who process, Yasser has coded a Python interactive server to demonstrate how an attacker can exploit this vulnerability in a real-life scenario attack.

-> Now this Vulnerability has been patched. HOC congrates to Mr. Yasser to get $10,000 reward for this vulnerability.

SUBSCRIBE US ON YOUTUBE :- https://www.youtube.com/channel/UC3SdJHbnRGaeatRYFfFLMvw LIKE US ON FACEBOOK :- http://viid.me/qtGbUW

Comments

Post a Comment

Popular posts from this blog

Hack Instagram Account

Nir Goldshlager Founder of Break Security found the critical vulnerability in Instagram. Succesful hack allows attacker to access private photos and ability to delete victim’s photos, edit comment and post new photos. 1. Hijack Instagram accounts using the Instagram OAuth (https://instagram.com/oauth/authorize/) 2. Hijack Instagram accounts using the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth) He reported a few issues to Instagram Include OAuth Attacks, But the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues in Instagram, So I was waiting, Waiting like a good WhiteCollar, Then Facebook Security send me a message, They say even that they were unable to fix this issues because the acquisition didn’t closed yet, They will still payout for this vulnerabilities. So, first, checked Instagram’s OAuth protocol: (http://instagram.com/developer/authentication/) While researching Instagram’s security pa
Read more

Solid Explorer Unlocker 2.2.7 APK Full Version for Android

Image
Solid Explorer Unlocker 2.2.7   APK Full Version for Android Plugins + Icon Packs This is the full version unlocker for the Solid Explorer. Attention Greenify users! Don’t hibernate the unlocker, otherwise license checking will not work ===== Important ======== IT IS ONLY THE UNLOCKER, the main app has to be installed too. To ensure, the unlocker will work properly, please do not use any software which will block permissions against the Solid Explorer. The READ_PHONE_STATE permission is used to generate unique hash of a device. No private data is being stored anywhere. ======================== Remember to install only the main app first and play with it for some time. Make sure you will purchase this unlocker only when you are fully satisfied with performance of the application. In case of any problems don’t hesitate to visit the support page. If you want a refund, send an email with [REFUND] tag and order number in the title. Orders older than 2 days wi
Read more

What is Odex & Deodex Explained in English | FREE UP YOUR INTERNAL STORAGE AND SPEED UP YOUR ANDROID

In this article, we’ll try to explain what odexed and deodexed means, and what implications does it bring to a casual user. So let's start WHAT IS AN ODEX FILE? In Android file system, applications come in packages with the extension .apk. These application packages, or APKs contain certain .odex files whose supposed function is to save space. These ‘odex’ files are actually collections of parts of an application that are optimized before booting. Doing so speeds up the boot process, as it preloads part of an application. On the other hand, it also makes hacking those applications difficult because a part of the coding has already been extracted to another location before execution. THEN COMES DEODEX Deodexing is basically repackaging of these APKs in a certain way, such that they are reassembled into classes.dex files. By doing that, all pieces of an application package are put together back in one place, thus eliminating the
Read more