WebApp Sec mailing list archives

Re: PayPal Manager Admin Account Hijack

From: Daniel Kester <dekester () usgs gov>
Date: Thu, 15 May 2014 10:51:06 -0500

Now that I think about it, we should make sure the WAFs are filtering this.

On Wed, May 14, 2014 at 06:48:19PM -0700, Mark Litchfield wrote:

Date: Wed, 14 May 2014 18:48:19 -0700
From: Mark Litchfield <mark () securatary com>
Subject: PayPal Manager Admin Account Hijack
To: webappsec () securityfocus com

Hi All,

I have just released a new vulnerability at
http://www.securatary.com/vulnerabilities outlining a hack on
http://manager.paypal.com that in the end allowed full admin access.

PayPal were very quick to fix this issue, so nice job PayPal
Security / Engineering team

-- 
All the best

Mark Litchfield
http://www.securatary.com
Twitter - http://twitter.com/securatary





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

---end quoted text---

-- 
Daniel E. Kester

Center for Integrated Data Analytics
U.S. Geological Survey
dekester () usgs gov | 608-821-3854

OpenPGP: 214E D2F3 4122 4F88 CC0E  2447 C7BA 7124 6FA7 9C1F



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

PayPal Manager Admin Account Hijack Mark Litchfield (May 14)
- Re: PayPal Manager Admin Account Hijack Daniel Kester (May 15)