PayPal's CSRF vulnerability to change phone numbers

In 2013, I disclosed a very serious CSRF vulnerability to the online payment giant PayPal. This vulnerability allowed a malicious attacker to silently change the number of a PayPal user, thus aiding the attacker to take over the account through the password reset option.

Well, I was checking my PayPal balance sheet back then and as soon as I tried to log into the web application of PayPal, I was prompted with an option to add and confirm a number with my PayPal account as seen in the following screenshot:

PayPal's CSRF vulnerability to change phone numbers

As soon as I clicked on Send Code a one-time password was received on my number, and looking ...

Get Mastering Modern Web Penetration Testing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Modern Web Penetration Testing by Prakhar Prasad

PayPal's CSRF vulnerability to change phone numbers

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly