Security Researcher Hijacks PayPal Accounts via Flash File

A security researcher has discovered a flaw in the PayPal website so he could take over users' accounts. The vulnerability was in the page to generate invoices. The page allows users to upload different types of files. PayPal turned out only to check the extension of the uploaded files, not the content, so the researcher discovered.

This allowed him to a Flash file with full read on www.paypal.com upload. Then, to take account of a user, the user must visit a Web site of the researcher. The researcher can then execute arbitrary commands with the PayPal account, such as the transfer of money and steal data.

The researcher reported the problem with us that rewards bug reports through a special program. However, eight days after he was told that another researcher had already reported the problem and, therefore, no compensation was paid. "I know that researchers sometimes find the same bugs, but I think that PayPal better to deal with this double bug reports," said the disappointed researcher.