PayPal's business site vulnerable to remote code execution

News by Max Metzger

Michael Stepankin, also known as Artsploit, has disclosed a major vulnerability in PayPal's business site, allowing remote code execution.

A critical vulnerability has been found in payment processing giant PayPal's business website, 

The security researcher known as Artsploit, Michael Stepankin, discovered the vulnerability late last year. Artsploit's disclosure post mentions that he discovered a post form parameter called ‘oldFormData' that, according to Stepankin, looks “like a complex object after base64 decoding”. 

As it turns out, it was a Java serialised object with no signature. 

Serialisation is a process that lets developers convert data to a static, binary format which one can then use for transmission among other things. As was revealed in a post by Chris Frohoff and Gabriel Lawrence at Foxglove security, this becomes a problem “when developers write code that accepted serialised data from users and attempt to serialise for use in the program”. 

Such a vulnerability, Frohoff and Lawrence explained, properly exploited can allow an attacker to carry out remote code execution on the target. In this case, Stepankin discovered that one could execute arbitrary OS commands on servers and upload and execute a backdoor. 

Stepankin spoke to and explained how this particular exploit could be used on PayPal. He said a hacker “could gain access to production databases where PayPal business customers data is stored. I didn't even try to do it because it's considered illegal [even] when you perform security testing.” 

Stepankin even kindly made a video of how to exploit this vulnerability.


Although despite this detailed undressing of how to exploit this vulnerability, Paypal, as Stepankin notes, worked “within a couple of days” to fix the vulnerability. The Paypal team, who maintains a bug bounty programme, "decided to pay me a good bounty and I have nothing but respect for them," Stepankin wrote. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike