Paypal vulnerabilities allow you to obtain account balance and recent transaction data

Paypal vulnerabilities allow you to obtain account balance and recent transaction data

The PayPal bug allows you to list the last four digits of the payment method one by one and disclose the account balance and recent transaction data of any given PayPal account.

Introduction

This article details an issue that allows you to list the last four digits of a payment method (such as a credit or debit card) and disclose the account balance and recent transactions of any given PayPal account.

The bug Rewards Program Submitted to PayPal for this attack is classified as out-of-range in this program, which is undeniable, because their program scope does not mention any attacks against their interactive voice response system.

Prerequisites and Reconnaissance

In order to start the attack, attackers need to know two information related to the account, which will be the email address and phone number linked to the account.

After knowing the email address and phone number associated with the account, the attacker will visit the "forgot password" page on the PayPal website and enter the email address associated with the target account.

Then, the attacker will receive the card type linked to the account and the last two digits of the card.

Attack Interactive Voice Response System

At first glance, PayPal's customer service-based interactive voice response system seems to allow a maximum of three attempts to submit the last four digits for each call.

However, if the first submission attempt is incorrect, the caller will not be notified of the successful submission in subsequent attempts during the same call. This masks any additional attempts made to callers in the same phone call.

To avoid this restriction, attackers only need to try to submit a possible combination of the last four digits of each phone call at a time.

In addition, limiting the number of times a call is submitted makes it more efficient to enumerate the correct combinations of tasks, not to mention, it can easily distinguish between correct attempts and wrong attempts.

At the same time, I have tested this theory using my own account. I have been able to conclude that there is no limit on the number of submissions, which means that, assuming that attackers can call 0.1 million times, list the last four digits in your own way.

However, this ignores the last two digits retrieved from the forgot password page. This condition effectively makes the attack more feasible by reducing the number of possible combinations from 0.1 million to only 100.

Unsuccessful-attempt audio record, audio address: https://soundcloud.com/sainikaran/unsuccessful-attempt (may need a ladder)

Once the correct combination of the last four digits is found, attackers only need to use an interactive voice response system to retrieve information about the account.

After the last four digits are entered correctly, the current balance of the account is automatically read by the machine.

Account_balance_disclosure audio record, audition address: https://soundcloud.com/sainikaran/account-balance-disclosure (may need a ladder)

In addition, to retrieve information about recent transactions, attackers only need to say "recent transactions" and then read the same information.

Recent-transactions-disclosure audio record, audition address: https://soundcloud.com/sainikaran/recent-transactions-disclosure (may need a ladder)

Attack effect and Efficiency

If the prerequisites mentioned above have been met, the attacker will undoubtedly be able to list the correct last four digits of the payment method associated with the account. This information can be further used to retrieve the account's current balance and recent transactions.

In addition, after multiple attempts to submit the last four digits, it is found that the submitted attempt takes about 30 seconds on average, and the fastest possible reason is 27 seconds per phone call.

If we use the fastest possible time as our average, it will take up to 45 minutes to list all possible combinations from 00XX to 99 XX. You can add another phone number to the audio mixing to call the phone continuously. This time can be halved.

Possible repair

The user should be allowed to choose privacy settings, so that the data volume displayed on the forgot password page can be kept at the minimum value. This is similar to Twitter allowing users to hide their email addresses and/or phone numbers associated with their accounts when trying to reset their passwords. This is also similar to Facebook allowing users to select their full names when entering their email addresses on the Password Reset page.

Some measures may be deployed. In this case, if you need to display the last two digits of a credit or debit card, the request will only be displayed when it matches a specific condition, for example, a request is sent by a recognizable device or location.

Conclusion

This issue allows you to enumerate the last four digits of the payment method on your account, so that you can publish your account's current balance and recent transactions.

If attackers know the email address and phone number of the target account, they will first use the PayPal forgot password page to retrieve the last two digits of the payment method associated with the account.

Then, attackers can call PayPal to call customer support and interact with the interactive voice response system, and accurately list the last four digits-or the first two digits of the last four digits.

Once the attacker successfully lists the last four digits of the credit/debit card or bank account associated with the account, they can freely query the regular account balance and recent transaction information.

Finally, I would like to point out that because the attack does not require or involve human interaction, therefore, it is essentially a backdoor into the PayPal account-allowing attackers to query the regular account balance and recent transaction information of any given account at any time.

* Reference Source: SecurityAffairs

This article permanently updates link: https://www.bkjia.com/Linux/2018-02/151088.htm