Michael Stepankin, also known as Artsploit, has disclosed a major vulnerability in PayPal's business site, allowing remote code execution.

Max Metzger
January 27, 2016

A critical vulnerability has been found in payment processing giant PayPal's business website, manager.paypal.com.

The security researcher known as Artsploit, Michael Stepankin, discovered the vulnerability late last year. Artsploit's disclosure post mentions that he discovered a post form parameter called ‘oldFormData' that, according to Stepankin, looks “like a complex object after base64 decoding”.

As it turns out, it was a Java serialised object with no signature.

Serialisation is a process that lets developers convert data to a static, binary format which one can then use for transmission among other things. As was revealed in a post by Chris Frohoff and Gabriel Lawrence at Foxglove security, this becomes a problem “when developers write code that accepted serialised data from users and attempt to serialise for use in the program”.

Such a vulnerability, Frohoff and Lawrence explained, properly exploited can allow an attacker to carry out remote code execution on the target. In this case, Stepankin discovered that one could execute arbitrary OS commands on manager.paypal.com servers and upload and execute a backdoor.

Stepankin spoke to SCMagazineUK.com and explained how this particular exploit could be used on PayPal. He said a hacker “could gain access to production databases where PayPal business customers data is stored. I didn't even try to do it because it's considered illegal [even] when you perform security testing.”

Stepankin even kindly made a video of how to exploit this vulnerability.

Although despite this detailed undressing of how to exploit this vulnerability, Paypal, as Stepankin notes, worked “within a couple of days” to fix the vulnerability. The Paypal team, who maintains a bug bounty programme, "decided to pay me a good bounty and I have nothing but respect for them," Stepankin wrote.