PayPal - Information Disclosure - firstsight.mefirstsight.me/fia07a53c4ec63d2b0d47fe27ea2645d82f8c98648/[ENG] PayPal... · find out the list of registered users (at Xoom) that ever

BugBounty-InformationDisclosureatPayPalandXoom(PayPalAcquisition)viaSearchEngine

(Enumeratingthelistofemailandotherinformationviasearchengine)

Dec26th,2017

@YoKoAcc([email protected])

[EnglishVersion]

BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|2

RevisionDetail

Version Date Detail

0.1 Dec26th,2017 -


TableofContents

RevisionDetail........................................................................................................................................2

TableofContents...................................................................................................................................3

TableofFigures......................................................................................................................................4

ListofTable............................................................................................................................................4

I. ABSTRACT..........................................................................................................................................5

II. INTRODUCTION.................................................................................................................................5

2.1.PayPal’sTransactionParameteratHTTPRequest.....................................................................7

2.2.Xoom’sIssueRelatedInformationDisclosure............................................................................7

2.2.1.Xoom’sUserEnumerationPreventionConcept...............................................................7

2.2.2.Xoom’sReferrerParameter..............................................................................................8

III.SUMMARYOFISSUE..........................................................................................................................8

IV.PROOFOFCONCEPT..........................................................................................................................9

4.1.EnumeratingtheListofEmailAddressatXoom........................................................................9

4.2.EnumeratingtheListofSomeInformationatPayPal..............................................................10

V. RECOMMENDATION........................................................................................................................12

VI.ADDITIONALINFORMATION............................................................................................................12

VII.LESSONLEARNED...........................................................................................................................13

VIII.ADDITIONALNOTE........................................................................................................................13


TableofFigures

Figure1CommonBlockingRules-viaRobots.txt..................................................................................5

Figure2SampleofDecodedRequestatOneofTransactionatPayPal.................................................6

Figure3Blocksearchindexingwith'noindex'.......................................................................................6

Figure4RegisteringwiththeRegisteredEmailAccount–ProtectingtheEnumeration.......................8

Figure5InformationDisclosureviaSearchEngine–ReferrerFeature..................................................9

Figure6InformationDisclosureviaSearchEngine-SendMoneyFeature..........................................10

Figure7InformationDisclosureatPayPal-sendMoneyTextParameter.............................................10

Figure8InformationDisclosureatPayPal–payerViewParameter.....................................................11

Figure9InformationDisclosureatPayPal-emParameter.................................................................11

Figure10SampleofValidCustomerInvoice........................................................................................12

ListofTable

Table1SampleoftheCompleteRequest..............................................................................................7


I. ABSTRACT

Wecan’tdenyifoneofthebiggestdreamforeveryonethathassomanycontentsattheirsiteisto

beindexedattopsearchengineintheworld.Inreality,weshouldrealizethateventhesearchengine

couldhelpusto“promote”ourcontentstopublic,thesearchengineitselfcould“betrayed”thesite

ownertoleakagetheinformationifthosesiteownersdoesn’tsetuptheblockingrulesproperly.

Thiskindofmindsetwascomingoutwithagoodfactbytheresearchthathasbeenconductedby

Ateeq Khan. At November 2013, he has shown the interesting vulnerability (Critical Information

Disclosure)thatexistatMicrosoftYammerproductbyusingthemainfunctionofthesearchengine.

Withthe“leakage”oftokenthathasbeenindexed“accidentally”bysearchengine,thentheAttacker

atthattimecouldusethoseinformationtologintotherelatedaccount.

Aswecouldseefromthetwosideoffunctionfromsearchengine,inthissimplepaper,wealsowould

liketotalkaboutthesamevulnerability(thatAteeqKhanfoundon2013)atanotherbigcompany,

which is PayPal. The problem existswhen PayPal and Xoom (PayPal Acquisition) didn’t setup the

blocking rules properly to prevent the search engine to index the list of emails and few lists of

transactionpurposethatusedbytheirusersattheirapplication.Byusingthesimpledork(atGoogle

orother),thenwecouldeasilyenumeratethoseinformation.

II. INTRODUCTION

Initsimplementation,PayPalhasconfiguringtheusers’transactiontobesendviaGETMethodofthe

secureHTTPtransmission.Pleasekindlynote,thereisnothingwrongwiththemethod.Withsomany

customerthatdoingsomanytransactionaroundtheworld,thenthepossibilityofsearchengineto

indexthesiteisbecomehigherifthesitedoesn’tsetuptheblockingrulesproperly.

Commonly,theblockingrulescouldbesetupeasilybywritesome“disallow”rulesatrobots.txtfile.

Figure1CommonBlockingRules-viaRobots.txt


Asseenfromthesamplestructureabove,thatruleswillbeveryeffectiveforpreventingthesearch

enginetoindexthecontentinsidethosedirectories.ButwheneverythingwasprocessintheURLjust

likePayPaldo,thenitwillbecomeanotherpointofview.

Figure2SampleofDecodedRequestatOneofTransactionatPayPal

As we could see from the sample picture above, without the proper setup of the search engine

blocking,thentheAttackercouldtrytoenumeratethelistofinformationatviasearchengine.

Pleasekindlynote:commonly, forpreventingthesearchengineto indexthis typeof request, the

developershouldusethenoindexmetataginthepage.Googleatitsdocumentationhastellingthe

otherwaytopreventthesearchenginetoindexthiskindofmethod.

Figure3Blocksearchindexingwith'noindex'

AlsoHubSpot fromoneof theirarticlehas telling the twoeffectiveways topreventing thesearch

enginetoindexourcontentthatcouldbesensitiveornotuseful.


2.1. PayPal’sTransactionParameteratHTTPRequest

Whenuserwouldliketosendsomesomemoneytootheraccount,thennormallyPayPalwillsend

several requests to server with GET method such as: recipient, onboardData, sendMoney,

currencyCode,payment_type,sendMoneyText,orintent.

Forexample,hereisthelistofthecompleterequestthatsendbyauserwhentheywouldliketosend

amoney:

(GETMethod):https://www.paypal.com/signin/?country.x=US&locale.x=en-

US&returnUri=https://www.paypal.com/myaccount/transfer/send/external?recipient=(victim_e

mail_address)&amount=1000.00&currencyCode=USD&payment_type=Gift&onboardData={"inte

nt":"sendMoney","recipient":"(victim_email_address)","currency":"$","amount":"1000.00","redi

rect_url":"https://www.paypal.com/myaccount/transfer/send/external?recipient=(victim_email_

address)&amount=1000.00&currencyCode=USD&payment_type=Gift","flow":"p2p","country":"U

S","locale":"en-US","sendMoneyText":"Custommessage,forexampleissendingamoneyto

victim_email_address"}

Table1SampleoftheCompleteRequest

Asstatedearlier,withtheusedofallparameters,thenwecouldtrytoenumeratethetransactionthat

everbeenmadebyregistereduser.

2.2. Xoom’sIssueRelatedInformationDisclosure

ThisoneisalittledifferentwithPayPal.Atthetimewhenwedoaresearchwiththiskindoftricks,we

don’t get any information except the emai addressl. At the first time, we have thought if that

informationwillnotbeconsideredasvulnerabilityinthePayPalpointofview.Butwhenwefindout

ifXoomhasimplementingtheuniquemethodtopreventtheuserenumerationattheirportal,then

wedecidedtoreportthisissuetoPayPaltoo(andyes,theyacknowledgedthereportasavalidissue).

2.2.1. Xoom’sUserEnumerationPreventionConcept

WhenwetrytoregisterouraccountatXoomforthefirsttime,Xoomwillproceedtheregistration

normallyandsendtheverificationrequesttotherelatedusers.Buttheuniquethingshappenwhen

the user/attacker try to register the exist account at application, then Xoom still process the

registrationnormallyjustliketheprocessofregistrationwhentheuserdoesn’texistatthesystem.

At the other side, Xoom send thewarning email to the registered account thatwas used by the

Attackertoregisteragain.


For a simple explanation, in other words, registered or not, Xoom still process the registration

normallywithout showing theerror if the account is exist already.But at thebackend,Xoomhas

differentwaytodifferentiatebetweentheregisteredorunregisteraccount.

Figure4RegisteringwiththeRegisteredEmailAccount–ProtectingtheEnumeration

Sobylearningthisflow,thenwhenwecouldenumeratetheuserID,thenitwillbeaflaw.

2.2.2. Xoom’sReferrerParameter

Oneofthebiggestquestionthatcametoourmindishowwecouldenumeratethelistofusersat

Xoom.Finally,theanswercomewiththeshowofreferrerfeature.

Referrer isoneof the feature thatgenerallyusedbypublic company to increasing theusedof its

service.Inusualsituation,thisreferrerlinkalwaysprovidedwiththeinterestingpromotionthatcould

be used by the receiver. In the reality, Xoom also has this unique feature (found at:

https://www.xoom.com/xoom-refer-a-friend-program)thatcouldbeusedbytheirregistereduserto

getthe"$20AmazoneGiftcard"foreveryfirsttransferofnewuserthathasavalueof$400ormore

(transactionfeeexcluded).

Andjustlikethethingsthatwedescribedearlier,themissingblockingrulesprotectionatthisfeature

couldallowtheAttackertoenumeratethelistofregisteredusersatthesearchengine.

III. SUMMARYOFISSUE

As ithasbeendescribedbefore,thesecurityprobleminthisreport isrelatedwaytoenumerating

someofinformation(informationdisclosure)viasearchengine.TheproblemexistsbecausePayPal

didn’timplementtheproperblockingrulesyet.


IV. PROOFOFCONCEPT

Theproofofconceptrelatedthisoneisveryextremelyeasy.WejustneedasimpleGoogleDorkto

findoutthelistofsomeinformationthateverexistwhentheservicewasusedbyitsuser.

4.1. EnumeratingtheListofEmailAddressatXoom

Theproofofconceptrelatedthisoneisveryextremelyeasy.WejustneedasimpleGoogleDorkto

findoutthe listofregisteredusers (atXoom)thateverusedthisservice.Andherearethe listsof

GoogleDorkthatcouldbeusedtofindouttheregisteredusers:

• site:xoom.cominurl:'@gmail.com'

• site:xoom.cominurl:'@yahoo.com'

• site:xoom.cominurl:'@hotmail.com'

• site:xoom.cominurl:'@msn.com'

• site:xoom.cominurl:'e=''refer'

• site:xoom.cominurl:'tellapal.id'

Pleasekindlynote:

• [email protected],etctootherdomainthathasanemailservice.

• Also,thelistofinformationdisclosurecouldbedetectedbyotherfeaturetoo,suchassend-money

(notonlyatthereferrerfeature).

Figure5InformationDisclosureviaSearchEngine–ReferrerFeature


Figure6InformationDisclosureviaSearchEngine-SendMoneyFeature

4.2. EnumeratingtheListofSomeInformationatPayPal

Justlikethepreviousone,herearethelistsofGoogleDorkthatcouldbeusedtofindoutsomeof

information:

• site:paypal.cominurl:'payment_type='

• site:paypal.cominurl:intent

• site:paypal.cominurl:'sendMoneyText'

• site:paypal.cominurl:'recipient='

• site:paypal.cominurl:currencyCode=

• site:paypal.cominurl:onboardData=

• site:paypal.cominurl:sendMoney

• site:paypal.cominurl:item_name

• site:paypal.cominurl:counterparty

Figure7InformationDisclosureatPayPal-sendMoneyTextParameter


Figure8InformationDisclosureatPayPal–payerViewParameter

Figure9InformationDisclosureatPayPal-emParameter

Andinanothersituation,wecouldfindoutthevalidcustomerinvoicethataccidentallypostonpublic

area(internet):


Figure10SampleofValidCustomerInvoice

V. RECOMMENDATION

ThedetailexplanationhasbeenexplainedbyGoogletopreventingthisissuetobehappened.Asan

information,thisdetailcouldbefoundatthearticleof“Blocksearchindexingwith'noindex'”.

VI. ADDITIONALINFORMATION

Forcompletingtheexplanation,weuploadtheunlistedvideoatYoutubeforbothofscenario:

6.1. InformationDisclosureatPayPal:https://youtu.be/N4owd36BNJY

6.2. InformationDisclosureatXoom:https://youtu.be/1cwwcFeJge8


VII. LESSONLEARNED

7.1. FromthecaseofXoom:alwaystrytofindawaytotriggeringyourfindingintothevalidoneby

lookingitsprocedureorflowoftheapplication.Eveninsomecasethisoneisnotavalidsecurity

issue,thenitsworthtotry(especiallyifnopointwillbereducedeventheissueisn’tvalid).

7.2. Andyes,oneoftheveryusefullessontobelearnedispleasespareourtimetoreadanyresearch

thatconductbyanotherresearcher.Asaninformation,thisresearchwasinspiredbytheresearch

thatconductedbyAteeqKhanrelatedtheCriticalInformationDisclosurethatexistatMicrosoft

Yammerproduct.

Thedetailcouldbefoundat:https://www.vulnerability-lab.com/get_content.php?id=1003

VIII. ADDITIONALNOTE

Theinitialbountywassenton:July13th,2017(XoomDomain)andAugust25th,2017(PayPalDomain)

The final bountywas sent on: August 25th, 2017 (XoomDomain) andDecember 6th, 2017 (PayPal

Domain).

Documents

PayPal - Information Disclosure - firstsight.mefirstsight.me/fia07a53c4ec63d2b0d47fe27ea2645d82f8c98648/[ENG] PayPal... · find out the list of registered users (at Xoom) that ever