back to article PayPal patches deadly server remote code execution flaw

Independent security researcher Michael Stepankin has reported a since-patched remote code execution hole in Paypal that could have allowed attackers to hijack production systems. The critical vulnerability affecting manager.paypal.com revealed overnight was reported 13 December and patched soon after disclosure. It allowed …

  1. Anonymous Coward
    Anonymous Coward

    "I realised that it’s a Java serialised object without any signature handled by the application [which] means that you can send serialised object of any existing class to a server and 'readObject' or 'readResolve' method of that class will be called"

    So basically you can send any old bytecode down the line and have it executed. Brilliant. Is this a Paypal bug or a java bug?

    1. This post has been deleted by its author

    2. wikkity

      Is this a Paypal bug or a java bug

      It's a paypal bug, Anyone who accepts data from an untrusted source and uses it without validation should not be in the position they are in. It's quite a simple rule, and no different to the one we tell our children about strangers.

      Java serialisation is something very useful, in the right circumstances, anyone who says that it flaw inherent in Java (as has been stated in comments to related articles) is simply wrong.

  2. thomas k

    Not the headline ...

    you want to see after just having signed up to PayPal. That it was patched a month ago calmed my racing heart, once I got that far down.

    1. frank ly

      Re: Not the headline ...

      When I signed up to Paypal, about thirteen years ago, they made a point that you needed two items of information to log in: your sign-up email address and your password; hence it was very secure. I soon realised that they give your Paypal sign-in email address to whoever you send payment to, so they can contact you I assume. (As far as I can tell, they no longer make that statement on their website.)

      Eventually, you'll get advertising spam and phishing attempts directed at the email address you used, depending on which people you send Paypal payments to.

      1. thomas k

        Re: spam ...

        Well, I guess that's something to look forward to. Good thing it's not one I use for anything else.

  3. mlitchfield

    I got paid $15,000 for this bug

    PayPal also blogged about it on their Engineering site

    https://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/

  4. Anonymous Coward
    Linux

    Attack of the Java deserialisation object flaw

    Wasn't the two big selling points of Java, was write-once-run-anywhere and the apps were sandboxed, safely isolating them from the core OS. Why didn't these defects reveal themselves when testing 'object deserialization' at the design stage. The designers did test it for security bugs before releasing it, didn't they. What happened, what went wrong, I really want to know?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021