PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission.
The issue stemmed from a cross-site request forgery (CSRF) vulnerability that existed in PayPal.me, a site the company launched last year to let its users request money; similar to what Venmo, another property it owns, does.
Florian Courtial, a French software engineer who hunts for bugs in his spare time discovered the vulnerability and discussed it on his personal blog earlier this week. Courtial previously disclosed bugs in Slack and the project management app Trello.
Courtial found the bug while rooting around both PayPal.com and PayPal.me for CSRF vulnerabilities. Using Burp Suite, he discovered he could remove or edit the CSRF token and in turn update a user’s PayPal profile picture. The HTML was missing a few headers, like X-Frame-Options: DENY, something that allowed him to submit the form without redirection.