Security Alerts & News
by Tymoteusz A. Góral

History
#1196 PayPal fixes CSRF vulnerability in PayPal.me
PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission.

The issue stemmed from a cross-site request forgery (CSRF) vulnerability that existed in PayPal.me, a site the company launched last year to let its users request money; similar to what Venmo, another property it owns, does.

Florian Courtial, a French software engineer who hunts for bugs in his spare time discovered the vulnerability and discussed it on his personal blog earlier this week. Courtial previously disclosed bugs in Slack and the project management app Trello.

Courtial found the bug while rooting around both PayPal.com and PayPal.me for CSRF vulnerabilities. Using Burp Suite, he discovered he could remove or edit the CSRF token and in turn update a user’s PayPal profile picture. The HTML was missing a few headers, like X-Frame-Options: DENY, something that allowed him to submit the form without redirection.
Read more
#1197 Ransomware gang claims Fortune 500 company hired them to hack the competition
#1196 PayPal fixes CSRF vulnerability in PayPal.me
#1195 PowerWare ransomware masquerades as Locky to intimidate victims
#1194 Flaws in Oracle file processing SDKs affect major third-party products
#1193 Canadian man behind popular ‘Orcus RAT’
#1192 Google fixes 48 bugs, sandbox escape, in Chrome
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12