PayPal issues critical patch to prevent hackers from stealing OAuth tokens

Radu Tyrsina
by Radu Tyrsina
CEO & Founder
1 Comments
Download PDF

OAuth serves as an open standard for token-based authentication employed by many internet giants, including PayPal. That is why the discovery of a critical flaw in the online payments service that could have allowed hackers to steal OAuth tokens from users has sent PayPal scrambling to roll out a patch.

Antonio Sanso, a security researcher and Adobe software engineer, discovered the flaw after he tested his own OAuth client. In addition to PayPal, Sanso also detected the same vulnerability in other major internet services like Facebook and Google.

Sanso says the problem lies in the way PayPal handles the redirect_uri parameter to give applications certain authentication tokens. The service has been using enhanced redirect checks to confirm the redirect_uri parameter since 2015. Still, it did not stop Sanso from bypassing these checks when he started to investigate the system in September.

PayPal lets developers use a dashboard that can produce token requests in order to enlist their apps with the service. The resulting token requests are then sent to a PayPal authorization server. Now, Sanso found an error in how PayPal recognizes a localhost as a valid redirect_uri parameter during the authentication process. He said this method wrongly implemented OAuth.

Gaming the validation system

Sanso then went on to game PayPal’s validation system and have it reveal the otherwise confidential OAuth authentication tokens. He managed to trick the system by adding a certain domain name system entry to his website, noting that localhost served as the magic word for overriding PayPal’s exact matching validation process.

The vulnerability could have compromised any PayPal OAuth client according to Sanso. He advised users to create a very specific redirect_uri when making an OAuth client. Sanso wrote in a blog post:

DO register https://yourouauthclient[dot]com/oauth/oauthprovider/callback. NOT JUST https://yourouauthclient[dot]com/ or https://yourouauthclient[dot]com/oauth.

PayPal did not believe Sanso’s findings at first, though the company eventually reconsidered its decision and now issued a fix to the flaw.

Read also:

  • It’s been awhile since the article. But I have to say that a backlit keyboard for a desktop is a must. And, I would bet there are so many people looking for one that’s wireless and also full size. Not one option that exists impresses me. And I am tired of being pushed into the Logitech K800. I that all this market wants to offer us? And all of the “best of” reviews always mix mechanical tactile type keyboards made for gaming which is a completely different animal and should not even be marketed against keyboards like the K800.

    Now I really love the HP Elite v2. But what is their problem? A perfect keyboard in every way and they don’t want to make it with backlit keys? Backlit keys need to be a mandatory feature at this point and cutting keyboards in half for home computer use is just plain stupid. Can’t even do a “shift” insert with these dumb azz keyboards being sold today. the K800 is so ancient and that’s all logitech has to offer in this vein of keyboard products which is pretty shameful for a company like Logitech. Of all companies, I would have expected something innovative from them by now but every last keyboard released by Logitech since the K800 has nothing special to offer. The only keyboard I ever thought was respectable was the TK820 but I would have preferred that same exact keyboard with the numeric keypad instead of touch pad or, a rendition that offered both of those in the same keyboard. Instead, we have to choose between the K810, K830 or the K800. Those keyboards are all outdated and ancient and are not even as comfortable as the laptop keyboards in todays market. Why don’t they take the Solar keyboard they made and make a backlit version with optional power/recharge via the USB when needed. I mean that keyboard had excellent feel but they never want to expand on a good idea. Bottom line is Logitech should have released a better keyboard by now. One for that vein where Wireless, Backlit, witht hte numeric keypad with a modern look and feel. HP’s Elite, although not backlit, blows every Logitech keyboard out of the water. If that came in a backlit version, Logitech would kiss top keyboard honors goodbye because they will never even rate with what they offer today. Yeah, I might be picking on Logitech. Not because I have been wronged by them. Their mice are some of the greatest in the world from where I sit. But I am so disappointed at their lack of efforts in the making of better keyboards that are full featured by todays standards. They have nothing worth looking at anymore. Not a thing