Lumension® Endpoint Intelligence Center

Intelligence Center » News Archive » PayPal complete account hijacking bug gets fix, no award given

PayPal complete account hijacking bug gets fix, no award given

2015/01/05

Softpedia - (International) PayPal fixed a bug that was discovered by a researcher which potentially allowed an attacker to steal sensitive information from an account after a discovery that PayPal did not verify the actual contents of a file uploaded through a page, trusting the extension of the item implicitly, despite the fact that the data is served back with false (media type of the message content) MIME type. The bug would have allowed an attacker to upload any file to any PayPal subdomain in order to compromise an account.

Source: http://news.softpedia.com/news/PayPal-Complete-Account-Hijacking-Bug-Gets-Fix-No-Award-Given-468856.shtml

Note: This news synopsis is taken from the DHS Daily Open Source Infrastructure Report, a daily [Monday through Friday, except US Federal holidays] summary of open-source published information concerning significant critical infrastructure issues; a 10-day archive of the DOSIR can be found at: http://www.dhs.gov/dhs-daily-open-source-infrastructure-report.


Last Updated: 27 May 2016 10:22:59