Hello dear readers, I hope you are all doing well. I am writing this short article to disclose a vulnerability I found on PayPal main website and that got rejected.
I was reading my twitter’s updates when a post caught my attention about Captcha bypassing vulnerability in PayPal worth 1000$. This post was getting retweeted, so I decided to have a look at it.
I found that the security reseacher did not acutally bypass the Captcha but he only found a way to bypass rate-limit protection in the password reset page by abusing the « Resend email » feature. The security flaw was due to the fact that the auth token is not getting validated by the server allowing any malicious attacker to flood/spam a targeted user’s mail box with unwanted messages on behalf of PayPal. In fact, it is not a critical vulnerability but it could be exploited to cause irratation and nuisance for the user.
The vulnerability has been patched by PayPal security team. However, I was able to find a new bypass for it as the auth token is not getting expired once used which means it can be used multiple times to authenticate the request. With the help of Burpsuite intruder I made a full Proof Of Concept demonstrating the issue by flooding my own Outlook mail with reset password messages as you can see in the following video :
Unfortunately, PayPal did not accept the issue this time considering it as Low risk. Below photo is the response I got from them.
Finally, PayPal is not planning to mitigate this flaw and they are willing to take the risk. But, I am not responsible for any misuse of the vulnerability to harm other users and this post is only for eductional purposes.