OAuth sits behind the login script of many sites
OAuth sits behind the login script of many sites

PayPal has fixed a flaw in its service that could enable hackers to steal OAuth tokens used in its payments apps.

Security researcher and Adobe software engineer Antonio Sanso found the problem after testing his own OAuth client.

OAuth is a secure authentication standard used by many websites, including Facebook and Google. Sanso also found similar problems with these websites.

PayPal started to use better redirect checks around verifying the redirect_uri parameter in 2015, but Senso still managed to find a way around these checks. Senso began his investigation in September.

PayPal lets developers create and maintain their own applications through its developer application dashboard. Developers can get access tokens by registering apps and sending a request for a token to a PayPal authorisation server.

The flaw appears to be down to how PayPal accepts localhost as a valid redirect_uri parameter in the authentication flow; it made an error in how it implemented OAuth. Senso added a specific domain name system entry for his website (localhost.intothesymmetry.com) and managed to deceive PayPal's validation systems into disclosing OAuth authentication tokens that would otherwise remain hidden from view.

"So it really looks like that even if PayPal did actually perform exact matching validation, localhost was a magic word and it overrides the validation completely," Sanso said in a blog post.

The flaw appears to affect any PayPal OAuth client, according to Sanso. “All your Paypal tokens belong to me – localhost for the win,” he added.

He recommended that when building an OAuth client, the redirect_uri registered in that client should be as specific as possible.

“DO register https://yourouauthclient[dot]com/oauth/oauthprovider/callback,” he said. “NOT JUST https://yourouauthclient[dot]com/ or https://yourouauthclient[dot]com/oauth.”

He added that the only safe validation method for the authorisation server to adopt was exact matching. “Although other methods offer client developers desirable flexibility in managing their application's deployment, they are exploitable.”

Sanso reported the issue to PayPal on 9 September this year. He said he got a response a few days later from PayPal in which it said there was no vulnerability. Sanso persisted and asked the firm to reconsider its findings. Later PayPal relented and said the issue had been fixed and awarded Sanso a bounty for his efforts. This flaw fix was carried out on 7 November.

Craig Parkin, associate partner at Citihub Consulting, told SC Magazine that the vulnerability was specific to a Paypal OAuth implementation and he believed it might have been introduced to help development.

“It's also worth noting that this would have led to PayPal users losing tokens, and potentially of more impact to users rather than organisations,” he said. He added that the problem isn't specifically an OAuth vulnerability “but the way it's been implemented".

Earlier this year, security researchers discovered two flaws in OAuth 2.0 that could enable hackers to stage man-in-the-middle attacks. Both flaws break authorisation and authentication in OAuth and were also present in the new OpenID Connect standard and can be exploited in practice.