How to penetrate the PayPal user transaction record system

*This article is written by the CEO and founder of Break Security in Israel, and translated by Zhang Jun, a volunteer at IDF lab.

Today, I will introduce how I previously attacked the PayPal record system,This BUG has been reported to the Paypal security team and fixed immediately.

Attackers can exploit this vulnerability to access PayPal's user transaction records. In these records, you can find the following user information:

• Shopping address
• Email
• Phone number
• Product Name
• Quantity purchased
• User full name
• Transaction No.
• Invoice No.
• Transaction subject
• Account name
• Paypal Reference No.

Wait ......

 

First, there is a "transaction record" option on the PayPal user interface:

You can use this option to access the product records you have purchased.

When I click the transaction record, I find that the program sends a post request, which is like this (POST/acweb/iportal/activePortal/viewer/viewframeset. jsp ):

Next I saw another path (/acweb/iportal/activePortal/viewer/), some of which aroused my interest (iportal, activePortal ). Then I googled:

Https://www.google.co.il/#site=&source=hp&q=inurl:activePortal%2Fviewer%2Fviewframeset.jsp

I found this program was developed by Actuate: http://www.actuate.com/home/

For this reason, PayPal seems to rely on running Actuate Iportal (a third-party application) to display transaction records for users. You all know that I like the trial version most. The trial version is like this:

I downloaded the 30-day trial version of Actuate Iportal Application. This allows me to get the source code, directory structure and file name, and even the full version of the user manual.

Http://www.birt-exchange.com/be/documentation/Manuals/creating-custom-iportal-apps.pdf

This manual saves me a lot of time because they have sorted out the parameter information and file name.

 

After a thorough check, I found an interesting fileGetfolderitems. do. The PayPal transaction record system (business.paypal.com) allows me to access this file with the permissions of common users. This is because Actuate uses this file to display transaction records. Of course, the most important thing is that you can use this file with a non-Administrator account.

Let's take a look at the specific parameters contained in the getfolderitems. do file:

1. ID:

Id value to display the content in a specific user directory. For example:

Id = 1234 (Nir Item)

Id = 12345 (Egor item)

2. Folder:

Directory, specifying the path (getfolderitems. do? Folder =/users /).

Now, I first try to access the user directory through getfolderitems. do to break through the PayPal record system. For example:

Https://business.paypal.com/acweb/getfolderitems.do? Folder =/users/
 
But it failed! PayPal prohibits me from using getfolderitems. do to access user directories.

I know that PayPal has restricted the malicious access to this vulnerability, so I need to change the attack method to successfully access the user records of PayPal.

After research, the USER Parameters in getfolderitems. do previously mentioned expose the user'sEncryption token(Secret tokenid ). Therefore, although PayPal rejects any access to the user directory through getfolderitems. do (getfolderitems. do? Folder =/users/), but it allows attackers to use the encryption token (secret tokenid) to access the target user directory.

For example:

Rejected request: getfolderitems. do? Folder =/users/

Successful execution request: getfolderitems. do? Folder =/users/9k1mvk2s10almQ9PM/

If the attacker (here is me) enters the ID value (getfolderitems. do? Id = 392302), PayPal will display the target user's encryption token (secret tokenid ).

These IDS are only 8-10 digits, while Paypal has millions of users.
The PayPal User Token that I can effectively access allows me to launch more in-depth attacks on the user transaction record directory:
(Getfolderitems. do? Folder =/users/tokenidofthevictim /)
To obtain full access to the user record directory.
See the figure below:

By the way, I found a large number of Iportal vulnerabilities during the reward feedback on PayPal bugs. In the end, PayPal completely abandoned this application.

(Full text)