Menu
PayPal is the latest victim of Java deserialization bugs in Web apps

PayPal is the latest victim of Java deserialization bugs in Web apps

The company's Java-based, back-end system was vulnerable to an attack that researchers have warned about for a year

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago.

In programming languages, serialization is the process of converting data to a binary format for storing it or for sending it over the network. Deserialization is the reverse of that process.

Deserialization is not an issue in itself, but like most processes that involve processing potentially untrusted input, measures need to be taken to ensure that it is performed safely. For example, an attacker could craft a serialized object that includes a Java class that the application accepts and which could be abused for something malicious.

Security researchers Chris Frohoff and Gabriel Lawrence gave a presentation about  this type of attack at a security conference a year ago. Then in November, researchers from a company called FoxGlove Security published a proof-of-concept exploit for a deserialization vulnerability in a popular library called Apache Commons Collections that's included by default on many Java application servers.

Security researchers warned at the time that thousands of Java-based Web applications, including custom-made enterprise ones, are likely vulnerable to this attack and said that both good and bad hackers will likely start probing for it.

Michael Stepankin, the bug bounty hunter who found the recent vulnerability in the manager.paypal.com website, is one such hacker. He was inspired by the research from Frohoff, Lawrence and the FoxGlove researchers and even used one of the tools they produced to build his attack payload.

After determining that the PayPal site was vulnerable to Java deserialization, Stepankin was able to exploit the flaw in order to execute arbitrary commands on its underlying Web server.

"Moreover, I could establish a back connection to my own Internet server and, for example, upload and execute a backdoor," he said in a blog post. "In result, I could get access to production databases used by the manager.paypal.com application."

After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate. It turns out that another security researcher reported the same issue a few days earlier, proving that people are currently scanning for this type of vulnerability.

Developers should make sure that they update the Apache Commons Collections library used by their Java servers and apps to at least versions 3.2.2 or 4.1, which address this issue. However, it's likely that this type of vulnerability exists in other libraries as well, waiting to be discovered.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments