for PayPal security team,“get user balances and transaction details” is not a vulnerability!
I have already contacted paypal cn, they have already taken the feature off to prevent the vulnerability from being exploited.
After the attacked person logs in through the link sent by the attacker and authorizes the PayPal, the attacker can obtain the account information and balance information of the attacked person.
PayPal registered two Wechat public numbers on Wechat for Chinese users’app usage habits. One is “ PayPal贝宝” and the other is “ PayPal外贸帮”, indicating that both public accounts are PayPal official accounts.
So I tested the function of WeChat public number “ PayPal外贸帮”, and then found the account hijacking vulnerability.
First scan the following picture through WeChat APP (go to WeChat APP — Click + in the top right corner — Scan QR Code):
Then click “Follow”, then click “注册查询” — “查询明细” as shown:
If you are visiting for the first time, it will display as follows:
If you have already visited it will display:
The program will then bind the session to the current WeChat account:
As shown in the figure, you can not directly log in to your PayPal account through WeChat app. You need to copy the link to your browser to open it. The obtained link is (you can refer to the above process to get the link of your WeChat when testing):
Send the link to the attacked person. The attacked person opens the link in their browser. If they have not logged in, they will be asked to log in to the PayPal account first:
If the person being attacked has logged in to the account, it will appear as follows:
It can be seen that this time is “PayPal” requesting user authorization, not a third-party domain name. The third-party domain name requires authorization as shown below (take www.pacificworldcoins.com as an example):
At this time, the attacked person will feel relieved to click OK when he sees that it is PayPal’s official request for authorization.
This means that the attacked person’s PayPal account has been bound to the attacker’s Wechat account. The attacker can query the attacker’s PayPal account balance information through the function of Wechat Public Number “ PayPal外贸帮”.
The attacker opened the Wechat public number “ PayPal外贸帮” and clicked “注册查询” — “查询明细”:
The attacker successfully obtained the account email address and balance information of the attacked person:
The person being attacked can see the permissions granted to PayPal at https://www.paypal.com/myaccount/settings/permissions as follows:
At the same time, you can also notice that it is PayPal to apply for permission!
After obtaining the authorization, you can get the user balance details. The video is as follows:
Reply from the PayPal security team:”from what was provided, an attacker can use the authorization link to link another user’s Paypal account (even with the app requesting permissions for Paypal) and be able to see the email and balance. However, from our end, we are only seeing a type of fraud activity and nothing more. What was provided did not show exactly what an attacker could do beyond that. Could they act as the victim? Make purchases in their name/balance? Edit major settings for the user? These type of questions were being considered. At best, it can be considered you are only getting/seeing limited information. As no impact was shown, there was not much more to get insight on the risk of this.”
So as a white hat for h1, I suggest that you do not submit this type of vulnerability to PayPal because there will be no reward.(The h1 security team doesn’t think this is a vulnerability, but if this vulnerability occurs in h1, will they handle it like this?)
Update:Suppose you buy an item in amazon, and then someone knows what you bought at what time. Wouldn’t you think it’s a vulnerability?Or is it a normal thing for paypal to get someone else’s balance information, is it a normal behavior?From this behavior of dealing with vulnerabilities, you can see that personal privacy data is meaningless in paypal.