A critical security issue has been found in PayPal that allows hackers to steal OAuth tokens that are being used in payment apps created by third-party developers. Security researcher and Adobe software engineer -Antonio Sanso found the problem after testing his own OAuth client.
“While testing my own OAuth client I have noticed something a bit fishy. The easier way to describe it is using an OAuth application from Paypal itself (remember the vulnerability I found is universal aka worked with every client!)”, according to the security expert.
He also explains that the issue might exist in some other websites too,including Google and Facebook as they are also using the secure authentication standard that exposed PayPal tokens. However according to this issue, it all comes down to how PayPal handles the redirect_uri parameter to grant authentication tokens to applications. The payment service makes it possible for developers to register their apps with PayPal though a dedicated dashboard that can generate token requests which are then submitted to a central authorization server.
The only safe validation method for the authorization server to adopt was exact matching. “Although other methods offer client developers desirable flexibility in managing their application’s deployment, they are exploitable”. he added.
Sanso added a specific domain name system entry for his website (localhost.intothesymmetry.com) and managed to deceive PayPal’s validation systems into disclosing OAuth authentication tokens that would otherwise remain hidden from view.
“So it really looks like that even if PayPal did actually perform exact matching validation, localhost was a magic word and it overrides the validation completely”, Sanso said in a blog post.
Sanso reported the vulnerability to PayPal in September, but the team replied that “this is not a vulnerability”. After pressing them to look into the problem, PayPal analyzed the report and eventually released a fix in November. He also received a bounty from PayPal for finding this flaw.