PayPal Inc - Security Key Pin Approval & Expire Bypass

Type vulnerlab
Reporter Benjamin K.M. [] -
Modified 2018-06-26T00:00:00


                                            Document Title:
PayPal Inc - Security Key Pin Approval & Expire  Bypass

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Vulnerability Class:
Insufficient Session Validation

Current Estimated Price:
500€ - 1.000€

Product & Service Introduction:
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money 
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, 
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some 
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined 
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified 
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy 
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your 
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a 
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary 
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request 
a transfer to their bank account.

(Copy of the Homepage: []

Abstract Advisory Information:
The Vulnerability Laboratory Core Research Team discovered a session vulnerability to expire in the official PayPal Inc online service web-application.

Vulnerability Disclosure Timeline:
2018-06-26: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):

Exploitation Technique:

Severity Level:

Authentication Type:
Restricted authentication (user/moderator) - User privileges

User Interaction:
No User Interaction

Disclosure Type:
Bug Bounty Program

Technical Details & Description:
A vulnerability has been discovered in the official web application of PayPal Inc. in the approval of security keys.
This problem allows you to bypass the basic duration protection of the SMS pin session. The SMS pin for the security key has no 
expire within the called time in the SMS. The text message says that the pin becomes invalid after 5 minutes. We have the validation of 
the security key pin and discovered the following error. 

We validated the pins several times after 30 minutes. So we requested 10 pins for one phone. After that, we will 
Wait 20-30 minutes. Then we use the first pin that arrived, which should have expired 20-30 minutes ago. This also works if the pin 
then we switch back with the browser and insert the last pin of the 10 sms. This works the way we did. 
is able to check whether the duration is implemented but not successfully activated. In the video demonstration we show you how you can test 
for the security key Pin expire procedure. Normally all pins must be invalid after 5 minutes, we finally used them after 20-30 minutes.

Proof of Concept (PoC):
The vulnerability can be exploited by remote attackers with low privileged web-application user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability ...
1. Register a paypal account
2. Include a phone number
3. Issue a security key pin (multiple times)
4. Go to the mobile sms inbox
5. Wait 20-50 minutes
6. Include the first arrived pin code to the browser session
7. Save the entry and the number is verified successful
8. Switch in the browser back to the last page
9. Now you can include another pin codes that arrived (not last!)
10. After saving the security key is verified by pin
11. Successful reproduce of the vulnerability

The request form has no limitation for processing to request pins. 
The pins also does not expire in the announced conditions of 5mins like in the sms text.
The page allows to switch back and use another pin code like demonstraed in the video.
All that interaction demonstrates that the duration limitation is broken configured.
The pin codes must expire for security reason after 5 minutes!

Why do security pins expire ...
The reason why a security pin expires after a specific duration of time is that the service should not validate more then one pin on 
multiple entries by one session.Thus evades the concept of security and also the main protection mechanism. In the paypal sms is a notify 
to the accountholder that the pin expires within 5minutes. This behavoir has been approved by our security team and we can confirm finally 
that the pin code is not limited by time duration. Thus can allow an attacker to use a requested pin after the duration of time. The attacker 
can also issue multiple pins by sms and evades the control by choosing the token he wants to use to include. After usage of another earlier 
requested pin the session token does not expire and allows to request in that case multiple times via paypal website.

Solution - Fix & Patch:
The security vulnerability can be fixed by setting the pin to expire after 5 - 10 minutes like mentioned in the paypal service notify emails.

The issue has been reported 2016-10-02. The issue was resolved until 2017 Q4. The disclosure process took about 1 year (12 month).

Security Risk:
The security risk of the pin session expire web vulnerability in the paypal inc application  is estimated as medium (CVSS 4.3).

Credits & Authors:
Benjamin K.M. [] -

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:		-					-
Programs: 	- 	-
Feeds: 	- 			-
Social:		- 				-

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™