How I Hacked PayPal Users Reports System,
Today, I’m going to tell you about how I was able to hack the PayPal Reports System a considerably long time ago,
This bug was reported to Paypal Security Team, fixed immediately,
Using this vulnerability, I was able to gain complete access to the reports of PayPal users. In these reports, you’ll find Information of users orders like:
In the PayPal user interface, there is an option called “Reports”:
Customers can use this option to gain access to their own purchase reports.
When I clicked on my report, I noticed that the application sent a post request that looked like this (POST /acweb/iportal/activePortal/viewer/viewframeset.jsp):
As soon as I saw the folder, (/acweb/iportal/activePortal/viewer/),
I had a weird feeling about it (iportal, activePortal).
Then, I made a quick Google Search:
I discovered that this application was developed by Actuate:
At this point, it seemed like PayPal was using the Actuate Iportal Application (a third party app) to display customer reports to their users.
As you know, I really enjoy trial versions. Trial versions are like:
for “Hackers”, In any event, I downloaded the 30-day trial version of the Actuate Iportal Application. This allowed me to gain access to the source code, folders, and file names.
And guess what:
There’s even a full manual for Actuate users.
App manuals save a ton of time because they make parameter info and file names readily available.
After a more thorough inspection, I located an interesting file named (getfolderitems.do). PayPal Reports System (business.paypal.com) allowed me to access this file as a sample user.
That’s because the Actuate App uses this file to display user reports. The best part about that is that you don’t need admin access to use it.
Let’s take a closer look at the interesting parameters in getfolderitems.do file:
id parameter, Display items of specific user folder,
Id=1234 (Nir Item)
Id=12345 (Egor item)
Folders parameter, Folder reports of the users (getfolderitems.do?folder=/users/),
My initial attempt to break the PayPal Reports System application was aimed at accessing the user’s folder through getfolderitems.do.
PayPal was prohibiting my request for access to the user’s folder via getfolderitems.do.
At this point, I knew that PayPal was aware of the loophole and had already tried to avoid malicious access. Thus, I needed to come up with another way to perform a successful attack that would permit me to gain access to PayPal’s user reports.
My research found that the ID parameter of getfolderitems.do exposed the secret tokenid of the user.
So, PayPal rejects any requests to access the users’ folders through getfolderitems.do
But, it allows requests to access the users’ folders if the attacker knows the secret tokened of the “victim.”
If the attacker (me, in this case) manipulated the id parameter (getfolderitems.do?id=392302), then PayPal would expose the secret tokened of the victim.
the id parameter contains only 8-10 numbers, And Paypal have millions of users,
By doing this, I was able to access the valid user tokeneid values of PayPal users that would allow me to perform a future attack on the user’s report folder:
And I gained full access to all the user reports folders,
During PayPal’s bug bounty program, I located a ton of vulnerabilities in the Iportal application. In the end, PayPal just decided to get rid of it entirely.