PayPal patches critical Java bug in its server

Tools

PayPal has fixed a critical bug in its production server that would have allowed hackers to execute code remotely, potentially allowing them to modify database records of their PayPal funds.

The flaw revolved around a weakness in the handling of serialization by the Java code running on PayPal's server, long considered to be theoretical in nature and hard to exploit, according to a report on Naked Security.

However, a pair of security researchers disproved that notion early in 2015 by demonstrating a working exploit. They also released a payload generator called ysoserial to exploit such weaknesses, explained a post on PayPal's Engineering blog that Mark Litchfield, the first security researcher who discovered the problem at PayPal, co-authored.

The PayPal post blamed insufficient attention being drawn to the problem in spite of its severity, due to the "mainstream technical media" not picking up the issue. This resulted in security researchers at FoxGlove Security discovering a bunch of Java serialization flaws in enterprise-centric products such as WebLogic, WebSphere, JBoss and others in November last year.

"I realized that I could execute arbitrary OS commands on manager.paypal.com Web servers and moreover, I could establish a back connection to my own Internet server and, for example, upload and execute a backdoor," wrote Michael Stepankin, who separately discovered the bug two days after Litchfield using ysoserial.

Stepankin said he was able to execute arbitrary commands on PayPal's manager.paypal.com servers, and noted that he could access production databases. He made a copy of the sensitive /etc/passwd file as proof and reported the bug to PayPal, for which he was eventually awarded with a $5,000 bounty a month later.

For more:
- check out this article at Naked Security
- read the PayPal blog post

Related Articles:
PayPal's SecurePayments patched, shows site was not so secure
Cybercriminals turn to automation to profit from Web app attacks
Loophole in PayPal two factor authentication implementation allows it to be circumvented