PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts

Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.

The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.

“The security hole existed in the unique number field of the email confirmation module …. The affected parameter was “login_confirm_number_id“ bearing the name “login_confirm_number,“ according to the site. “The validation of the confirm number input field is watching all the context since the first valid number matches. The attacker uses a valid number and includes the statement after it to let both pass through the PayPal application filter.

“The result is the successful execution of the SQL command when the module is processing to reload the page module. Exploitation of the vulnerability requires a low privileged application user account to access the website area and can be processed without user interaction.“

The researchers also provided proof of concept that details the discovery.

PayPal made news earlier this week with a nebulous announcement it planned to introduce “drastic changes” in how it handles suspected fraud.

The company has been heavily criticized for a current policy and aggressive fraud filters that routinely lock out legitimate businesses and charities when there’s a surge in donations or orders. The average freeze is three weeks, but the terms of service allow PayPal to take up to 180 days to resolve a case.

“These are not minor — these are aggressive changes,” Anuj Nayar, PayPal’s senior director of communications, told CNN Money, adding that better communications would a cornerstone of the new policy. “This is a fundamental shift in our business operations.”

Currently, if an account is frozen, the account holders must provide paperwork, such as bank statements and tax records, before the company will release the funds. This can severely impact both businesses and charities who need access to cash before the company has completed its investigation. Grassroots fundraisers, such as those to help someone with treatments or unexpected medical expenses, in particular may have trouble producing the documentation in time-sensitive situations.

“At a minimum, the fact that someone needs to mail in something to an online payments company is a problem,” Nayar said. “2013 is going to be the year that we fix a lot of those pain points.”