29 May 2013
Category: Uncategorized
29 May 2013,
 4

How I Hacked PayPal Users Reports System,

showtime

 

 

Hi

Today, I’m going to tell you about how I was able to hack the PayPal Reports System a considerably long time ago,

This bug was reported to Paypal Security Team, fixed immediately,

Using this vulnerability, I was able to gain complete access to the reports of PayPal users. In these reports, you’ll find Information of users orders like:

  • Shipping address
  • Email addresses,
  • Phone Number
  • Item name
  • Item Amount
  • Full name
  • Transaction ID
  • Invoice ID
  • Transaction Subject
  • Account ID
  • Paypal Reference  ID
  • ETC…

 

 

Now,

In the PayPal user interface, there is an option called “Reports”:

reportsopton

 

 

Customers can use this option to gain access to their own purchase reports.

When I clicked on my report, I noticed that the application sent a post request that looked like this (POST /acweb/iportal/activePortal/viewer/viewframeset.jsp):

businessrequestpost

 

As soon as I saw the folder, (/acweb/iportal/activePortal/viewer/),

I had a weird feeling about it (iportal, activePortal).

Then, I made a quick Google Search:

https://www.google.co.il/#site=&source=hp&q=inurl:activePortal%2Fviewer%2Fviewframeset.jsp

 

I discovered that this application was developed by Actuate:

http://www.actuate.com/home/

actuate

At this point, it seemed like PayPal was using the Actuate Iportal Application (a third party app) to display customer reports to their users.

Nice!,

As you know, I really enjoy trial versions. Trial versions are like:

candy2

 

 

 

for “Hackers”, In any event, I downloaded the 30-day trial version of the Actuate Iportal Application. This allowed me to gain access to the source code, folders, and file names.

And guess what:

There’s even a full manual for Actuate users.

http://www.birt-exchange.com/be/documentation/Manuals/creating-custom-iportal-apps.pdf

 

manual

 

 

App manuals save a ton of time because they make parameter info and file names readily available.

Thanks, Actuate!

bow

 

 

After a more thorough inspection, I located an interesting file named (getfolderitems.do). PayPal Reports System (business.paypal.com) allowed me to access this file as a sample user.

That’s because the Actuate App uses this file to display user reports. The best part about that is that you don’t need admin access to use it.

 

Let’s take a closer look at the interesting parameters in getfolderitems.do file:

1.

ID:

id parameter, Display items of specific user folder,

Id=1234 (Nir Item)

Id=12345 (Egor item)

2.

Folder:

Folders parameter, Folder reports of the users (getfolderitems.do?folder=/users/),

 

Now,

My initial attempt to break the PayPal Reports System application was aimed at accessing the user’s folder through getfolderitems.do.

For example:

https://business.paypal.com/acweb/getfolderitems.do?folder=/users/

 

Didn’t work!.

PayPal was prohibiting my request for access to the user’s folder via getfolderitems.do.

accessdenied2

 

 

At this point, I knew that PayPal was aware of the loophole and had already tried to avoid malicious access. Thus, I needed to come up with another way to perform a successful attack that would permit me to gain access to PayPal’s user reports.

questionmark5

 

 

My research found that the ID parameter of getfolderitems.do exposed the secret tokenid of the user.

So, PayPal rejects any requests to access the users’ folders through getfolderitems.do

(getfolderitems.do?folder=/users/)

But, it allows requests to access the users’ folders if the attacker knows the secret tokened of the “victim.”

For example:

Rejected request:

getfolderitems.do?folder=/users/

Success Request:

getfolderitems.do?folder=/users/9k1mvk2s10almQ9PM/

If the attacker (me, in this case) manipulated the id parameter (getfolderitems.do?id=392302), then PayPal would expose the secret tokened of the victim.

paypaltokenid

 

 

the id parameter contains only 8-10 numbers, And Paypal have millions of users,

By doing this, I was able to access the valid user tokeneid values of PayPal users that would allow me to perform a future attack on the user’s report folder:

(getfolderitems.do?folder=/users/tokenidofthevictim/)

And I gained full access to all the user reports folders,

PoC Pictures:

 paypalreport1access

paypalreportaccess2paypalreportaccess3paypalreportaccess4paypalreportaccess5

 

 

BTW,

During PayPal’s bug bounty program, I located a ton of vulnerabilities in the Iportal application. In the end, PayPal just decided to get rid of it entirely.

 

Thanks,

@Nirgoldshlager

 

4 responses on “How I Hacked PayPal Users Reports System

  1. [...] This bug was reported to Paypal Security Team, fixed immediately, Using this vulnerability, I was able to gain complete access to the reports of PayPal users. In these reports, you’ll find user financial information like: Shipping address, Email addresses, Phone Number, Item name, Item Amount, Full name, Transaction ID, Invoice ID, Transaction Subject, Account ID, Paypal Reference ID, ETC…  [...]

  2. [...] customers used to track their transaction helping them to manage their business. In his last post Nir described critical vulnerabilities  in the Paypal Reporting system that allow an attacker [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>