The CSRF Auth verifies every single request of that user, So what If an attacker “not logged in” tries to make a “send money” request then PayPal will ask the attacker to provide his email and password, The attacker will provide the “Victim Email” and ANY password, Then he will capture the request, The request will contain a Valid CSRF Auth token Which is Reusable and Can authorise this specific user requests. Hmm, it seems interesting but still not exploitable, as there is no way for an attacker to get the “Auth” value from a victim session. The CSRF token “that authenticate every single request made by the user” which can be also found in the request body of every request with the parameter name “Auth” get changed with every request made by user for security measures, but after a deep investigation I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user.
#Hacking tools online shop for paypal code
Yasser successfully bypassed the PayPal security to generate exploit code for targeted attacks. Yasser tells that How the security breach in paypal and hackers can hijack account just single click.
0 kommentar(er)
