Menu
PayPal is the latest victim of Java deserialization bugs in Web apps

PayPal is the latest victim of Java deserialization bugs in Web apps

The company's Java-based, back-end system was vulnerable to an attack that researchers have warned about for a year

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago.

In programming languages, serialization is the process of converting data to a binary format for storing it or for sending it over the network. Deserialization is the reverse of that process.

Deserialization is not an issue in itself, but like most processes that involve processing potentially untrusted input, measures need to be taken to ensure that it is performed safely. For example, an attacker could craft a serialized object that includes a Java class that the application accepts and which could be abused for something malicious.

Security researchers Chris Frohoff and Gabriel Lawrence gave a presentation about  this type of attack at a security conference a year ago. Then in November, researchers from a company called FoxGlove Security published a proof-of-concept exploit for a deserialization vulnerability in a popular library called Apache Commons Collections that's included by default on many Java application servers.

Security researchers warned at the time that thousands of Java-based Web applications, including custom-made enterprise ones, are likely vulnerable to this attack and said that both good and bad hackers will likely start probing for it.

Michael Stepankin, the bug bounty hunter who found the recent vulnerability in the manager.paypal.com website, is one such hacker. He was inspired by the research from Frohoff, Lawrence and the FoxGlove researchers and even used one of the tools they produced to build his attack payload.

After determining that the PayPal site was vulnerable to Java deserialization, Stepankin was able to exploit the flaw in order to execute arbitrary commands on its underlying Web server.

"Moreover, I could establish a back connection to my own Internet server and, for example, upload and execute a backdoor," he said in a blog post. "In result, I could get access to production databases used by the manager.paypal.com application."

After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate. It turns out that another security researcher reported the same issue a few days earlier, proving that people are currently scanning for this type of vulnerability.

Developers should make sure that they update the Apache Commons Collections library used by their Java servers and apps to at least versions 3.2.2 or 4.1, which address this issue. However, it's likely that this type of vulnerability exists in other libraries as well, waiting to be discovered.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments