Yassine ABOUKIR

Web App Security Consultant & ISCAEist


Rate-limit protection bypass in PayPal reset password page

janvier 24, 2015Yassine ABOUKIR2 Comments

Hello dear readers, I hope you are all doing well. I am writing this short article to disclose a vulnerability I found on PayPal main website and that got rejected.

I was reading my twitter’s updates when a post caught my attention about Captcha bypassing vulnerability in PayPal worth 1000$. This post was getting retweeted, so I decided to have a look at it.

I found that the security reseacher did not acutally bypass the Captcha but he only found a way to bypass rate-limit protection in the password reset page by abusing the « Resend email » feature. The security flaw was due to the fact that the auth token is not getting validated by the server allowing any malicious attacker to flood/spam a targeted user’s mail box with unwanted messages on behalf of PayPal. In fact, it is not a critical vulnerability but it could be exploited to cause irratation and nuisance for the user.

auth token
resend

The vulnerability has been patched by PayPal security team. However, I was able to find a new bypass for it as the auth token is not getting expired once used which means it can be used multiple times to authenticate the request. With the help of Burpsuite intruder I made a full Proof Of Concept demonstrating the issue by flooding my own Outlook mail with reset password messages as you can see in the following video :

Unfortunately, PayPal did not accept the issue this time considering it as Low risk. Below photo is the response I got from them.

paypal response

Finally, PayPal is not planning to mitigate this flaw and they are willing to take the risk. But, I am not responsible for any misuse of the vulnerability to harm other users and this post is only for eductional purposes.

Thanks.

This article has 2 comments
  1. Kamran Saifullah
    17 juin 2015

    Great Article. Helped me alot to understand a new thing. I have also reported this issue and as you said in the last lines it could be exploited to cause irratation and nuisance for the user. I totally agree with it as i also exploited the vulnerability and spammed my own email address by manipulating the client_token 🙂 Thanks


Leave a Reply

Prove you are not a Bot * Le temps imparti est dépassé. Merci de saisir de nouveau le CAPTCHA.