PayPal Dodges Security Bullet

PayPal thwarted a security vulnerability that would have enabled malicious emails to be sent from its platform thanks to its bug bounty program.

The issue was patched after it was revealed by researcher Benjamin Kunz Mejri of German firm Vulnerability Lab, which found the application-side Web encoding vulnerability within the official PayPal online Web application, ZDNet reported on Thursday (March 31).

According to ZDNet, the threat level of the issue was classified as “medium” on the Common Vulnerability Scoring System with a score of 3.9. If the vulnerability would have been exploited, hackers would have been able to integrate malicious codes within emails sent out via PayPal’s official portal.

“Exploitation of the persistent input validation Web vulnerability requires a low-privilege Web application user account and low user interaction,” the technical write-up by Vulnerability Lab explained. “Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.”

PayPal awarded Mejri with $1,000 for discovering the vulnerability and submitting it to the company’s bug bounty program, which encourages professional security researchers to submit any security flaws or issues they find directly to PayPal for the chance to win up to $10,000.

Mejri notified PayPal about the vulnerability in Oct. 2015 and was able to publish his findings after PayPal developed a patch and deployed it this month.