PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts

Published by

Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection From threatpost:
Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.

The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.

"The security hole existed in the unique number field of the email confirmation module .... The affected parameter was “login_confirm_number_id`` bearing the name “login_confirm_number,`` according to a news release. “The validation of the confirm number input field is watching all the context since the first valid number matches. The attacker uses a valid number and includes the statement after it to let both pass through the PayPal application filter.

 PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts