Unless fixed, the flaw would have given attackers access to accounts connected to the apps. The weak spot was discovered by Antonio Sanso, an Adobe senior software engineer, while testing his own OAuth client.
OAuth is an open standard for secure authentication used by many technology companies, according to IT news. Furthermore, companies such as Google and Facebook had similar flaws to PayPal that were also discovered by Sanso.
The vulnerability stems from PayPal accepting localhost as a valid for the redir_uri parameter in the authentication flow. By adding a specific domain name system entry for his website (localhost.intothesymmetry.com), Sanso was able to trick PayPals validation systems into revealing OAuth authentication tokens he would normally not have been entitled to see.
The vulnerability worked for any PayPal OAuth client, Sanso continued. The software developer reported the flaw to PayPal on September 9 2016, and in early November 2016 PayPal said it had fixed the issue and awarded a bug bounty to Sanso for finding the flaw, the site continued.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now