In a blog post and video demo of the bug, Ali said the “critical vulnerability” meant an attacker could hijack any PayPal user account, install their own contact details, and change the billing, shipping address and payment methods as they liked.
PayPal rapidly fixed the flaw, Ali said, and awarded him their maximum US$ 10,000 bug bounty.
This is the second major bug Ali has found his year. In May he exposed a gap in the security of global auction site eBay – which owns PayPal - that also allowed any of eBay's 150 million or more users accounts to be hacked.
Ali reported the bug to ‘Hacker News', which kept the technical details under wraps until September to give the eBay security team time to patch it.
His blog on the latest PayPal problem shows that in fact he discovered three separate security issues that, combined, allowed the account takeover.
Ali found a way to bypass PayPal's CSRF (Cross-Site Request Forgery) security system, which is meant to authenticate all user requests when they log on to the PayPal website.
He said this flaw could allow an attacker to capture the “magical” CSRF Auth security token and so ‘validate' almost any request they wanted to make on behalf of a user.
Ali also discovered this CSRF Auth token is re-usable - meaning an attacker could impersonate any logged-on PayPal user, not just one.
Then he found that a hacker could change any PayPal user's security questions without first needing their password. So, armed with the CSRF Auth validation, they could go ahead and amend the access details and so hijack any account they liked.
A PayPal spokesperson confirmed to SCMagazineUK.com via email: “Through the PayPal Bug Bounty Programme, one of our security researchers recently made us aware of a way to bypass PayPal's Cross-Site Request Forgery (CSRF) protection authorisation system when logging onto PayPal.com. Our team worked quickly to address this vulnerability, and we have already fixed the issue."
At time of writing, the spokesperson did not confirm whether any accounts had been compromised using the flaw.
Commenting on Ali's research, Fran Howarth, a senior security analyst at Bloor Research, said it highlighted the continuing problem of both cross-site request forgery vulnerabilities, and of weaknesses in PayPal's security.
She told SCMagazineUK.com via email: “CSRF is consistently one of the top 10 flaws affecting web applications, according to OWASP, and one that every web application deliverer needs to be aware of and to test for thoroughly. And this is especially true when the web application is a payment system.”
Howarth added: “This is certainly not the first time that researchers have found bugs of this severity in the PayPal system and will probably not be the last. Rather than just patching the flaws that are found, PayPal would be better off with a more secure application development and testing regime.”
Meanwhile cyber-expert Scott MacKenzie, CISO at UK security solutions provider Logical Step, said Ali's discovery demonstrates the value of bug bounty programmes.
“Yasser Ali identified three PayPal vulnerabilities - a CSRF, an Auth token bypass and a security question reset flaw. PayPal acted proactively to rapidly patch the vulnerabilities. I understand they also promptly paid Yasser under the terms of their bug bounty programme.
“Bug bounty programmes are very positive steps that organisations can adopt, because the more eyeballs you can get looking for vulnerabilities in your code, the more secure your resultant systems are.
“Any organisation connected to the internet is constantly having their security tested - bug bounty programmes are a great way to both reward the security researchers and secure the systems of the sponsoring organisations.”