[German]Disturbing story just came to me from security analysts. The provider PayPal has had (and still has) vulnerabilities in its system for a month, which were reported in January 2020, but have not yet been fixed. Hackers can abuse them to siphon a PayPal and bank accounts. In addition, about 14 days ago I have received mails from users that their PayPal accounts have been misused.
Reports about PayPal hacks
In the blog I recently reported about a PayPal hack in the article Mass newsletter spam and the Paypal account hack. One customer received thousands of newsletter subscriptions. At the end of the day it turned out that his PayPal account had been hacked and then scammers ordered goody via this hacked account. In the comments to my German blog post, another victim confirmed a similar case. A few hours ago I received an email from blog reader Michael P., who reported the following:
are you aware that another scam is currently active where scammers use hacked Paypal accounts and buy at CD keys Playstation Network cards?
A friend of mine received an email from Paypal (or a notification via their app) about the transaction. He has no PS4 and he didn’t buy the card either. He also knows not how the scammers got their paypal account.
Michael P. did some research and saw that this scam has been around since 2018
seems to exist. Michael posted me a link to the PayPal forum. On page 3 there are more and more reports of people affected in January 2020. These individual cases already draw a picture, that there is something going on. The question: How do the cyber criminals get the PayPal accounts?
Still unfixed PayPal vulnerabilities
A few hours ago I received a mail from CyberNews, which possibly provides a piece of the puzzle, why the PayPal accounts could be hacked. The security analysts are located in Vilnius and seem to be financed by BugBouty programs from companies. Their security experts are on the trail of quite a mess, if the information is accurate. The experts are warning PayPal customers about security flaws that were reported to the platform almost a month ago, but have not yet been closed. It also appears that they may have been cheated out of the bug bounty payment.
Ethical hacker scam?
According to CyberNews, the bug bounty and “ethical hacking” program run by HackerOne (www.HackerOne.com) for PayPal and many other large corporations and government agencies in the US and Europe is the center of the problem. Such programs should reward hackers for notifying companies about vulnerabilities. Large companies like Google etc. use this to get hackers to report vulnerabilities. Actually a good thing, I think.
However, the experience of CyberNews’ analysts shows the downside, the risk that some companies will avoid paying out bug bounty bonuses. And there is the suspicion of the hacker community that reported bugs are more or less been used by the reviewers of platforms like HackerOne in order to claim the bug bounty premium for themselves.
Smoking Gun in a new PayPal case?
In the recent case, analysts from CyberNews PayPal may have found something like a smoking gun for the above suspicions. The analysts first reported six vulnerabilities to PayPal via the bug bounty program operated by HackerOne in the first half of January.
- According to CyberNews, three of the reported vulnerabilities were not recognized as problems by HackerOne/PayPal, but were nevertheless silently fixed by PayPal.
- The other three vulnerabilities have still not been fixed – PayPal denies that two of them are its responsibility.
These vulnerabilities allow hackers to hijack PayPal accounts and empty users’ bank accounts, security researchers write.
HackerOne: Broken by Design?
The way HackerOne’s system works is simple: With HackerOne, in-house security analysts quickly review and categorize each reported issue and escalate or close those cases as needed. The idea is that the HackerOne security analysts identify reported problems, attempt replication and communicate with the vendor to work on a solution. That’s the theory.
Bernard Meyer, Senior Researcher at CyberNews, has now made his own experiences with this approach. He says: “There is a big flaw here: these security analysts who evaluate reports of vulnerabilities are also active bug bounty hackers. Essentially, these security analysts have the power to escalate, delay, or close a reported problem”. According to Meyer, this leads to fraud and abuse. The evaluators could act in bad faith and delay the original report while reporting the vulnerability themselves using a different identity to collect the bonus, and then close the original report as inaccurate or perhaps a duplicate.
“The system is vulnerable to abuse, especially as the security analysts on HackerOne use generic usernames. That means there’s no real way to know what they’re doing on other bug bounty platforms,” Meyer continued.
Vulnerabilities reported, nothing paid and punished on top
When analysts discovered the six vulnerabilities in PayPal, HackerOne, according to their own statements, encountered unresponsive employees, vague answers and often even refusal. The vulnerabilities endangered the security of millions of PayPal users. The security analysts complained when they realized what went wrong and tried to put pressure on the HackerOne staff to get the reports forwarded. The HackerOne staff then removed points from the reputation index of the account, according to Cybernews. This downgraded Cybernews’ PayPal reporting profiles to a suspicious, spam-like level.
Bitter, because people write that this happened even though the vulnerabilities they reported were patched afterwards. There were no rewards for these reports and the security researchers did not even receive credits or a thank you. Instead, they had been downgraded on HackerOne. At the end of the day, they were worse off than if they had reported notthing.
PayPal: Bad reputation among bug bounty hunters
Could be dismissed as an isolated case, unfortunate concatenation of circumstances or simply a misrepresentation of the CyberNews people. But people write: “Even our analysts are not the only ethical hackers who experience this. PayPal has a reputation for avoiding paying legitimate bug bounty premiums. This is the case of the 17-year-old hacker who found a major bug on PayPal in 2013. PayPal refused to pay because the hacker was too young. ” The case of Robert Kugler from 2013 and other cases concerning PayPal’s behaviour in the bug bounty program are mentioned here.
The six PayPal vulnerabilities
The security researchers have documented the current case in this article along with the vulnerabilities. For example, the two-factor authentication (2FA) at PayPal can probably be easily levered out. Here is a list of open vulnerabilities that the people from CyberNews have provided me with.
Only three vulnerabilities (#4 Full name change, #5 Self-help SmartChat vulnerability on PayPal and #6 Security questions persistent XSS) have been fixed. The details are described in this CyberNews article.
What I noticed the days and today I currently can’t change the password in my PayPal account the way I want. Invalid characters are reported by mistake and the new password is not accepted. Furthermore I tried to remove the registered bank account – does not work. Broken by Design.
Addendum: Seems it’s taking an unpleasant move – within 2 weeks I’ve several PayPal abuse cases in the blog (see link list).