1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

{0day Paypal Bug} Privilege Escalation . Take Over Main Accounts.

Discussion in 'BlackHat Lounge' started by Arthas, Mar 25, 2009.

  1. Arthas


    Jan 5, 2009
    Likes Received:
    I just discovered this today while logging into a paypal sub account. A sub account is a limited account someone can create for you by using the muli user access feature of paypal.

    A new security policy has just been applied to paypal which requires sub accounts to enter new security questions and a change their password.

    When you login next time to a sub account it will ask you for this new information and make you change your password. However, the password that it changes is actually the main account holder's! Paypal has fucked up.

    My account was only allowed to receive money. After completing the form I then had the main account holder's password and could have done whatever. Of course the account holder was a friend of mine and so I just told him what was going on.

    I am posting this to warn anyone who might have multi user access enabled on their account. You should remove the access now before the user has a chance to login and change your password.
  2. chowyoungfat

    chowyoungfat Regular Member

    Nov 6, 2008
    Likes Received:
    I come from a land down under..
    holy shit, people could really go to town stealing money =O