for PayPal security team,“get user balances and transaction details” is not a vulnerability!

Update:

I have already contacted paypal cn, they have already taken the feature off to prevent the vulnerability from being exploited.

Vulnerability description:

After the attacked person logs in through the link sent by the attacker and authorizes the PayPal, the attacker can obtain the account information and balance information of the attacked person.

Vulnerability details:

I see at https://www.paypal.com/c2/webapps/mpp/merchant?locale.x=zh_C2:

This picture is taken from the official website of paypal, indicating that it is the official service of paypal.

PayPal registered two Wechat public numbers on Wechat for Chinese users’app usage habits. One is “ PayPal贝宝” and the other is “ PayPal外贸帮”, indicating that both public accounts are PayPal official accounts.

So I tested the function of WeChat public number “ PayPal外贸帮”, and then found the account hijacking vulnerability.

First scan the following picture through WeChat APP (go to WeChat APP — Click + in the top right corner — Scan QR Code):

Scan this QR code via WeChat

Then click “Follow”, then click “注册查询” — “查询明细” as shown:

The function on the WeChat public number
Registration Query — Query Details (Function for Querying User Balance)

If you are visiting for the first time, it will display as follows:

WeChat public number to apply for your user information on WeChat

If you have already visited it will display:

Show this image if you have already authorized it on WeChat

Click “同意并继续”:

Provisions for PayPal query balances

The program will then bind the session to the current WeChat account:

As shown in the figure, you can not directly log in to your PayPal account through WeChat app. You need to copy the link to your browser to open it. The obtained link is (you can refer to the above process to get the link of your WeChat when testing):

Send the link to the attacked person. The attacked person opens the link in their browser. If they have not logged in, they will be asked to log in to the PayPal account first:

https://www.paypal.com/c2/signin/authorize?client_id=AYTEs_A29KfUT0NSBFTtGRaYlyiXVMMJDmnEZxdCBJxZwCEIrhCpVo4vTVConJtmh5sJY8YnPqqrmMkS&response_type=code&scope=profile+email+openid+https://uri.paypal.com/services/identity/activities/third-party-providers+https://uri.paypal.com/services/wallet/balance-accounts/read+https://uri.paypal.com/services/paypalattributes&redirect_uri=https://www.paypal-proserv.com/wechat-paypal/authenticate&state=bMT8E8LjTLtFXAr4s8VAVwpfqRGHZzIM131BE542A69AF8AA5C766B08A38F2E60

Paypal asks you to log in to your account

If the person being attacked has logged in to the account, it will appear as follows:

This image shows that paypal not only gets your location and other information, but also requests to get your balance information (please note that the application for the balance permission is paypal)

It can be seen that this time is “PayPal” requesting user authorization, not a third-party domain name. The third-party domain name requires authorization as shown below (take www.pacificworldcoins.com as an example):

In contrast, this is the permission that a third-party application applies for, and only the geographic location information, the balance information cannot be obtained.

At this time, the attacked person will feel relieved to click OK when he sees that it is PayPal’s official request for authorization.

This picture tells you that the user has been successfully bound, please use the WeChat public number for balance inquiry.

This means that the attacked person’s PayPal account has been bound to the attacker’s Wechat account. The attacker can query the attacker’s PayPal account balance information through the function of Wechat Public Number “ PayPal外贸帮”.

The attacker opened the Wechat public number “ PayPal外贸帮” and clicked “注册查询” — “查询明细”:

The attacker successfully obtained the account email address and balance information of the attacked person:

The person being attacked can see the permissions granted to PayPal at https://www.paypal.com/myaccount/settings/permissions as follows:

This picture tells you that the paypal application permissions include: basic user information, as well as balance information.

At the same time, you can also notice that it is PayPal to apply for permission!

After obtaining the authorization, you can get the user balance details. The video is as follows:

Reply from the PayPal security team:”from what was provided, an attacker can use the authorization link to link another user’s Paypal account (even with the app requesting permissions for Paypal) and be able to see the email and balance. However, from our end, we are only seeing a type of fraud activity and nothing more. What was provided did not show exactly what an attacker could do beyond that. Could they act as the victim? Make purchases in their name/balance? Edit major settings for the user? These type of questions were being considered. At best, it can be considered you are only getting/seeing limited information. As no impact was shown, there was not much more to get insight on the risk of this.”

So as a white hat for h1, I suggest that you do not submit this type of vulnerability to PayPal because there will be no reward.(The h1 security team doesn’t think this is a vulnerability, but if this vulnerability occurs in h1, will they handle it like this?)

Update:Suppose you buy an item in amazon, and then someone knows what you bought at what time. Wouldn’t you think it’s a vulnerability?Or is it a normal thing for paypal to get someone else’s balance information, is it a normal behavior?From this behavior of dealing with vulnerabilities, you can see that personal privacy data is meaningless in paypal.