Tuesday, 30 July 2019

Paypal bug $10K - All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts

In the name of Allah the beneficient the most merciful.

It's been quite long time i wrote a blog due to some commitments , Today i would like to disclose one of my findings in Paypal which was reported via Hackerone.

This bug allowed me to takeover all secondary accounts of any paypal business account , there was an IDOR bug which gave me control over any secondary user account i want.

Paypal business accounts are used by millions of organizations worldwide and business owners
assign various privileges to secondary user accounts so as to ease their task. One of the privilege business owners give to secondary user is transfer money from paypal business account to any other account they like .  So, i used this particular privilege in describing the issue which if exploited it would have given attacker unauthorized access to transfer money from any paypal business account by taking over secondary account of users having privilege as "Transfer money".

Steps:
Two different business accounts were needed for POC.

-> From victim@gmail.com business account i created secondary user
having username as victim1234

-> From attacker@gmail.com business account i created secondary user
having username as attacker1234

-> From attacker account after going to secondary user account
  here https://www.paypal.com/businessmanage/users/1660971175791245038
( this id is for attacker1234 , from attacker@gmail.com ) and then captured the request
to edit the permission like this


PUT /businessmanage/users/api/v1/users? HTTP/1.1
Host: www.paypal.com
Connection: close

[{"id":"1660971175791245038","accessPoint":{"privileges":["MANUAL_REFERENCE_TXN","VIEW_CUSTOMERS","SEND_MONEY"],"id":"4446113495","accounts":["attacker@gmail.com"]},"roleID":0,"roleName":"CUSTOM","privilegeChanged":true,"privilegeSecondaryName":"ttt ttts"}]

->  Now in the above PUT request the first id "it can be anything" i entered
id:"asdfjdsf"( some dummy value)  and in the  second id:446113495 , is the actual id of each secondary user which was vulnerable to IDOR.

->  This second id is incremental and enumerable as it's only numbers.
If attacker would have changed it to 44613496(lets suppose it is id of victim1234 ) then the associated secondary user account i.e., victim1234 would have been listed to him in https://www.paypal.com/businessmanage/users .

-> This way if attacker would have just enumerated from 44613495 to 44613999 then all these secondary accounts would have been showed to him in Manage users section of attackers business account , then attacker  just needed to change the password of user via Manage users section and Game over!!
Complete takeover of any secondary account.

-> After this attacker could have login to any secondary user account having privilege as "Transfer Money" and then it would have allowed him transfer money from victim account to attacker own account .


Now Paypal remediated the issue and found no evidence of any kind of abuse associated with it.


Summary by Paypal in hackerone about the issue.





Thanks for reading.

Hope you enjoyed reading it.

P.S: Iam looking for infosec job in Hyderabad or remotely, please let me know if any.


Regards
Mohd Haji
https://www.linkedin.com/in/mohd-haji-490960a0/

27 comments:

  1. Your story is inspiring. You are real white hat hacker. Congrats.
    You got 10k usd from paypal its amazing.
    https://w3raja.com

    ReplyDelete
    Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      fixitrogers@gmail.com

      Delete
    2. Money Transfer Service

      Bank Transfers / Western Union Transfer / Wire Transfer / Bank Logins / PayPal Transfer / Money Gram are now available to the following countries :

      USA, UK, EU, Canada, Australia, Russia, Netherlands, China, Malaysia, France, Thailand, Ukraine, Nigeria

      Our Services for Worldwide and we exclusively deal with Western Union / Money Transfer / Bank Logins / CVV, Fullz / Money Gram. The global nature of our service enables us to interact with clients all over the world who have access to our services. Our proxy dealers process your transfer request(s) and we subsequently provide you with the details of your transfers the transactions are carried out in 1-2 hours. Our services are available 24/7/365 we strive to build a strong relationship with our clients.

      Services We Provide to our valuable Clients:

      Bitcoin Transfer
      Wire Bank Transfer
      Paypal Transfer
      Western Union Transfer
      Skrill Transfer
      Carding
      Credit Card (cc) for sale
      Random CC for sale
      Fullz for sale
      Bank logins with High Balance selling
      Teaching
      GMAIL / Facebook
      Whatsapp / Instagram

      We also teaching all type of Hacking within a few days.
      We are providing our work then make a deal.
      Only serious / needy people contact us.

      Support 24/7

      Email - topley994@gmail.com

      Delete




    3. Fake peoples on this comments section
      watch it before contact anyone

      https://scam-alert-report.blogspot.com/2019/02/scam-alert.html



      Delete
    4. ARE YOU A VICTIM OF FALSE HACKERS & BANK LOAN SCAM⁉️

      We have been having recent complains from individuals about how they lost money ๐Ÿ’ต to SPAMMERS who call themselves HACKERS or BANK LOAN OFFERS. They are all over the internet sharing false testimonies. Please do not fall for their lies for this is just a way to LURE you to them.

      They say lies in the likes of such-:
      ▪️Bitcoin Auctioning ▪️Western Union Hack
      ▪️Blank Credit Card ▪️Clearing Criminal Records
      ▪️Loan Offers. ▪️Bank Account Loading
      ▪️Changing University Grades & so on.
      These are all lies and you shouldn’t fall for them.

      ๐ŸตGLOBAL PLUGGERS๐Ÿต is here to help you Recover all your Money ๐Ÿ’ต that you have been Ripped of.
      WHO ARE GLOBAL PLUGGERS⁉️
      We are a group of Computer๐Ÿ’ป Experts who are memebers of the “HACKERONE” Forum. We have dedicated ourselves to help Victims of these SCAM(s) recover all the Money that has been taken falsely from them.

      If you have been a victim of thes Thieves, then you need to contact us as soon as possible so you can get your money back.
      Email-: globalpluggers@gmail.com
      No. +1 (808) 600 0773 ( Number also available on WhatsApp)

      Note:
      Please know that we do not charge you for Fund Recovery Service, Our Funds Recovery Service is to help and so it’s Free.

      We also provide Legit Hacking Services such as-:
      ๐Ÿ”ธPhone Hacking/Cloning
      ๐Ÿ”ธEmail Hacking & Password Recovery
      ๐Ÿ”ธSocial Media Hacking & Passowrd Recovery
      ๐Ÿ”ธDeleted Files Recovery ๐Ÿ”ธMobil Tracking
      ๐Ÿ”ธVirus detection & Elimination.

      Contact-:
      Email globalpluggers@gmail.com
      No. +1 (808) 600 0773 (number also available on WhatsApp)








      Delete
    5. Selling good and fresh cvv fullz

      track 1 and 2 with pin

      bank login

      bank transfer

      writing cheques

      transfer to cc ...

      Sell Fresh CVV - Western Union Transfer - Bank Login - Card Dumps - Paypal - Ship

      Fresh Cards, Selling Dumps, Cvvs, Fullz

      Tickets,Hotels,Credit card topup...Paypal transfer, Mailer,Smtp,western union login,

      Book Flight Online

      SELL CVV GOOD And HACK BIG CVV GOOD Credit Card

      Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit cards


      Sell Cvv(cc) - Wu Transfer - Card Dumps - Bank login/paypal

      And many more other hacking services

      contact me : hackerw169@gmail.com
      ICQ: 699 396 818


      - I have account paypal with good balance

      - I hope u good customers and will be long-term cooperation


      Prices Western Union Online Transfer


      -Transfer(Eu,Uk,Asia,Canada,Us,France,Germany,Italy and very

      easy to do African)

      - 200$ = 1500$ (MTCN and sender name + country sender)

      - 350$ = 4000$ (MTCN and sender name + country sender)

      - 500$ = 6000$ (MTCN and sender name + country sender)

      - 600$ = 8000$ (MTCN and sender name + country sender)

      Then i will do transfer's for you, After about 30 mins you'll have

      MTCN and sender name + country sender


      - Dumps prices

      - Tracks 1&2 US = 85$ per 1

      - Tracks 1&2 UK = 100$ per 1

      - Tracks 1&2 CA / AU = 110$ per 1

      - Tracks 1&2 EU = 120$ per 1


      Bank Logins Prices US UK CA AU EU


      - Bank Us : ( HALIFAX,BOA,CHASE,Wells Fargo...)

      . Balance 5000$ = 250$

      . Balance 8000$ = 400$

      . Balance 12000$ = 600$

      . Balance 15000$ = 800$

      . Balance 20000$ = 1000$

      - Bank UK : ( LLOYDS TSB,BARCLAYS,Standard Chartered,HSBC...)

      . Balance 5000 GBP = 300 GBP

      . Balance 12000 GBP = 600 GBP

      . Balance 16000 GBP = 700 GBP

      . Balance 20000 GBP = 1000 GBP

      . Balance 30000 GBP = 1200 GBP


      contact me : hackerw169@gmail.com
      ICQ: 699 396 818

      Delete
  2. I think this is an informative post and it is very useful . therefore, I would like to thank you for the efforts you have made in writing this article how to change paypal phone number

    ReplyDelete
  3. Thanks for sharing useful information ............Can you help me please? visits here paypal changed phone number

    ReplyDelete
    Replies



    1. Fake peoples on this comments section
      watch it before contact anyone

      https://scam-alert-report.blogspot.com/2019/02/scam-alert.html




      Delete
  4. Money Transfer Service

    Bank Transfers / Western Union Transfer / Wire Transfer / Bank Logins / PayPal Transfer / Money Gram are now available to the following countries :

    USA, UK, EU, Canada, Australia, Russia, Netherlands, China, Malaysia, France, Thailand, Ukraine, Nigeria

    Our Services for Worldwide and we exclusively deal with Western Union / Money Transfer / Bank Logins / CVV, Fullz / Money Gram. The global nature of our service enables us to interact with clients all over the world who have access to our services. Our proxy dealers process your transfer request(s) and we subsequently provide you with the details of your transfers the transactions are carried out in 1-2 hours. Our services are available 24/7/365 we strive to build a strong relationship with our clients.

    Services We Provide to our valuable Clients:

    Bitcoin Transfer
    Wire Bank Transfer
    Paypal Transfer
    Western Union Transfer
    Skrill Transfer
    Carding
    Credit Card (cc) for sale
    Random CC for sale
    Fullz for sale
    Bank logins with High Balance selling
    Teaching
    GMAIL / Facebook
    Whatsapp / Instagram

    We also teaching all type of Hacking within a few days.
    We are providing our work then make a deal.
    Only serious / needy people contact us.

    Support 24/7

    Email - topley994@gmail.com

    ReplyDelete
  5. Very Good blog and Helpful information in above blog.......
    Contact forgot paypal password and changed phone number For instant Help
    For more information, visit Web: https://bit.ly/31Uy8C2
    Contact at: +1 888 509 9555 (Toll-Free)
    Address: California, United States

    ReplyDelete
  6. I’m hacker and Services provider
    intersted in any thing i do fair deals.
    I will show work how things work
    Short Course hacking, carding, clone ATM Card


    .. Western Union transfer
    .. Bank Transfer
    .. Credit Cards
    .. Money Adders
    .. Bill Payment
    .. College Fee
    .. Fake Documents /ID, License
    .. Grade Change / Update
    .. Credit score / history update

    Contact:
    t0r.netw0rk@yahoo.com

    ReplyDelete
  7. The only hacker that does the real transfer for me. Visit them www.wucode.info same day transfer no delay of any kind. I’m overwhelmed doing business with them.

    ReplyDelete

  8. Do you need Personal Loan?
    Business Cash Loan?
    Unsecured Loan
    Fast and Simple Loan?
    Quick Application Process?
    Approvals within 24-72 Hours?
    No Hidden Fees Loan?
    Funding in less than 1 Week?
    Get unsecured working capital?
    Email us:(perfectfinancialcredite@gmail.com
    )
    Application Form:
    =================
    Full Name:................
    Loan Amount Needed:.
    Purpose of loan:.......
    Loan Duration:..
    Gender:.............
    Marital status:....
    Location:..........
    Home Address:..
    City:............
    Country:......
    Phone:..........
    Mobile / Cell:....
    Occupation:......
    Monthly Income:....
    Email us(perfectfinancialcredite@gmail.com
    )

    ReplyDelete
  9. I have tested a few and the best hackers for hire on the dark web are the guys at dark web hackers, download Torbrowser and then go to this dark
    web site with Torbrowser:
    http://ziagmjbpt47drkrk.onion/

    ReplyDelete
  10. Hello everyone, are you in need of hacking services? 
    Then contact> GENIUSWEBHACKERS@GMAIL.COM
    for best the hacking services.
    Be warned, most of these so called hackers are impostors,I know how real hackers work, they never advertise themselves in such a credulous manners and they are always discrete.
    I have been scammed so many times out of desperation trying to find urgent help to change my school grades, 
    finally my friend introduced me to a group of  reliable hackers who work with discretion and delivers promptly, they do all kinds of hackings ranging from;
    -Securing of personal/companies website
    -Sales of Blank ATM cards.
    -Games hacking
    -hack into email accounts and trace email location
    -all social media accounts,-school database to clear or change grades, 
    -Retrieval of lost file/documents-Changing of car plate documents
    ****iTune card code hack
    -DUIs -company records and systems,
    -Bank accounts,Paypal accounts,Bitcoin and Onecoin account.
    -Credit cards hack
    -Credit score hack 
    -Monitor any phone and email address
    -hack IP address
      Tap into anybody's call and monitor their conversation.    By hiring their service you will get a free 30-days warranty. It means that if some password is changed in this time frame since the moment you receive it, they will get it again for free.
    ***CONTACT> GENIUSWEBHACKERS@GMAIL.COM

    ReplyDelete
  11. Selling good and fresh cvv fullz

    track 1 and 2 with pin

    bank login

    bank transfer

    writing cheques

    transfer to cc ...

    Sell Fresh CVV - Western Union Transfer - Bank Login - Card Dumps - Paypal - Ship

    Fresh Cards, Selling Dumps, Cvvs, Fullz

    Tickets,Hotels,Credit card topup...Paypal transfer, Mailer,Smtp,western union login,

    Book Flight Online

    SELL CVV GOOD And HACK BIG CVV GOOD Credit Card

    Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit cards


    Sell Cvv(cc) - Wu Transfer - Card Dumps - Bank login/paypal

    And many more other hacking services

    contact me : hackerw169@gmail.com
    ICQ: 699 396 818


    - I have account paypal with good balance

    - I hope u good customers and will be long-term cooperation


    Prices Western Union Online Transfer


    -Transfer(Eu,Uk,Asia,Canada,Us,France,Germany,Italy and very

    easy to do African)

    - 200$ = 1500$ (MTCN and sender name + country sender)

    - 350$ = 4000$ (MTCN and sender name + country sender)

    - 500$ = 6000$ (MTCN and sender name + country sender)

    - 600$ = 8000$ (MTCN and sender name + country sender)

    Then i will do transfer's for you, After about 30 mins you'll have

    MTCN and sender name + country sender


    - Dumps prices

    - Tracks 1&2 US = 85$ per 1

    - Tracks 1&2 UK = 100$ per 1

    - Tracks 1&2 CA / AU = 110$ per 1

    - Tracks 1&2 EU = 120$ per 1


    Bank Logins Prices US UK CA AU EU


    - Bank Us : ( HALIFAX,BOA,CHASE,Wells Fargo...)

    . Balance 5000$ = 250$

    . Balance 8000$ = 400$

    . Balance 12000$ = 600$

    . Balance 15000$ = 800$

    . Balance 20000$ = 1000$

    - Bank UK : ( LLOYDS TSB,BARCLAYS,Standard Chartered,HSBC...)

    . Balance 5000 GBP = 300 GBP

    . Balance 12000 GBP = 600 GBP

    . Balance 16000 GBP = 700 GBP

    . Balance 20000 GBP = 1000 GBP

    . Balance 30000 GBP = 1200 GBP


    contact me : hackerw169@gmail.com
    ICQ: 699 396 818

    ReplyDelete
  12. Loan for business and personal use

    Business and Personal Loans, Loans ranging from $5,000-$100,000,000.Our passion is helping ones in need. We are based in the UK and USA and Italy, but willing to loan outside, Interest Rates 3%. betterloancompany@gmail.com

    ReplyDelete
  13. INSTEAD OF GETTING A LOAN,, I GOT SOMETHING NEW
    Get $5,500 USD every day, for six months!

    See how it works
    Do you know you can hack into any Credit cards machine with a hacked Credit cards??
    Make up your mind before applying, straight deal...

    Order for a blank Credit cards now and get millions within a week!: contact us
    via email address:: {Legitblankcardsonline@gmail.com}

    We have specially programmed Credits Cards that can be use to hack Credit cards Machines
    Nation Wide, the Credits Cards can be used to withdraw at any Credits Cards or swipe Machines, at
    Stores and POS Machines. We sell this cards to all our customers and interested
    buyers worldwide, the Credit Card has a daily withdrawal limit of $5,500 at any Credit cards Machines
    and up to $50,000 spending limit in stores depending on the kind of card
    you order for. Credits Cards Can also be used in any other cyber hack{Services}, we are here for you anytime any day.

    Here is our price lists for the Credits Cards:

    Cards that withdraw $5,500 per day costs $200 USD
    Cards that withdraw $10,000 per day costs $850 USD
    Cards that withdraw $35,000 per day costs $2,200 USD
    Cards that withdraw $50,000 per day costs $5,500 USD
    Cards that withdraw $100,000 per day costs $8,500 USD


    make up your mind before applying, straight deal!!!

    The price include shipping fees and charges, order now: contact us via
    email address:: {Legitblankcardsonline@gmail.com}

    ReplyDelete


  14. best hacker contact elizabethjone146@gmail.com
    WhatsApp+18572012269
    Do you need a hacker to hack into your cheating ass account or do you want us to hack into the following account such as.
    facebook hack
    gmail hack
    whatsapp hack
    website hack
    tracking calls
    online hacking lectures
    phone clone
    online records changes
    retrival of hacked social media account
    deleted text messages

    ATM merchine hack/password from any Email Address.
    Get any password from any Facebook, Twitter or Instagram account.
    Cell phone hacking (whatsapp, viber, line, wechat, etc)
    Grades changes (institutes and universities)
    Websites hacking, pentesting.
    IP addresses and people tracking.
    Hacking courses and classes.
    blank ATM CARD.
    loading of bitcoin account
    contact elizabethjone146@gmail.com
    WhatsApp+18572012269

    ReplyDelete