PayPal issues critical patch to prevent hackers from stealing OAuth tokens

Edward Hudson By: Edward Hudson
2 minute read

Home » News » PayPal issues critical patch to prevent hackers from stealing OAuth tokens

OAuth serves as an open standard for token-based authentication employed by many internet giants, including PayPal. That is why the discovery of a critical flaw in the online payments service that could have allowed hackers to steal OAuth tokens from users has sent PayPal scrambling to roll out a patch.

Antonio Sanso, a security researcher and Adobe software engineer, discovered the flaw after he tested his own OAuth client. In addition to PayPal, Sanso also detected the same vulnerability in other major internet services like Facebook and Google.

Sanso says the problem lies in the way PayPal handles the redirect_uri parameter to give applications certain authentication tokens. The service has been using enhanced redirect checks to confirm the redirect_uri parameter since 2015. Still, it did not stop Sanso from bypassing these checks when he started to investigate the system in September.

PayPal lets developers use a dashboard that can produce token requests in order to enlist their apps with the service. The resulting token requests are then sent to a PayPal authorization server. Now, Sanso found an error in how PayPal recognizes a localhost as a valid redirect_uri parameter during the authentication process. He said this method wrongly implemented OAuth.

Gaming the validation system

Sanso then went on to game PayPal’s validation system and have it reveal the otherwise confidential OAuth authentication tokens. He managed to trick the system by adding a certain domain name system entry to his website, noting that localhost served as the magic word for overriding PayPal’s exact matching validation process.

The vulnerability could have compromised any PayPal OAuth client according to Sanso. He advised users to create a very specific redirect_uri when making an OAuth client. Sanso wrote in a blog post:

DO register https://yourouauthclient[dot]com/oauth/oauthprovider/callback. NOT JUST https://yourouauthclient[dot]com/ or https://yourouauthclient[dot]com/oauth.

PayPal did not believe Sanso’s findings at first, though the company eventually reconsidered its decision and now issued a fix to the flaw.

Read also:

Discussions

Next up

How to fix Windows 10 update error 0xca00a000 in 7 easy steps

Matthew Adams By: Matthew Adams
5 minute read

Error 0xca00a000 is a Windows Update error that arises for some users. The full error message states: 2018-07 Cumulative Update for Windows 10 Version 1803 for […]

Continue Reading

Top 5 software to recover Microsoft Excel passwords

Tashreef Shareef avatar. By: Tashreef Shareef
Less than a 1 minute read

From billing and data management to keeping track of inventory, finance and business tasks, Microsoft Excel is one handy program. The fact that Excel application is […]

Continue Reading

How to fix League of Legends patch issues on PC

Ivan Jenic By: Ivan Jenic
5 minute read

10 solutions to fix LoL patch issues Change screen refresh rate Reset Winsock Run the game as Admin Force Re-Patch Repair game files Disable UAC […]

Continue Reading