Network Security, Vulnerability Management

PayPal vulnerabilities could have allowed phishing emails

A German researcher reportedly netted $500 from PayPal's bug bounty program for a vulnerability that could have allowed an attacker to carry out phishing and other attacks.

Vulnerability Laboratory researcher Benjamin Kunz Mejri discovered what he described as a “Filter Bypass and Persistent Profile Mail Encoding Web Vulnerability,” according to a March 30 advisory.

The bug also could have allowed session hijacking, persistent redirecting to external sources and persistent manipulation of affected or connected service module context, the advisory said.

The vulnerability existed in the profile section of the application program interface request.

“We are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” Mejri told the Register.

Mejri reportedly discovered the flaw in October 2015, but waited until it was patched to disclose.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.