PayPal is the latest victim of Java deserialization bugs in Web apps

The company's Java-based, back-end system was vulnerable to an attack that researchers have warned about for a year

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago.

In programming languages, serialization is the process of converting data to a binary format for storing it or for sending it over the network. Deserialization is the reverse of that process.

Deserialization is not an issue in itself, but like most processes that involve processing potentially untrusted input, measures need to be taken to ensure that it is performed safely. For example, an attacker could craft a serialized object that includes a Java class that the application accepts and which could be abused for something malicious.

Security researchers Chris Frohoff and Gabriel Lawrence gave a presentation about  this type of attack at a security conference a year ago. Then in November, researchers from a company called FoxGlove Security published a proof-of-concept exploit for a deserialization vulnerability in a popular library called Apache Commons Collections that's included by default on many Java application servers.

Security researchers warned at the time that thousands of Java-based Web applications, including custom-made enterprise ones, are likely vulnerable to this attack and said that both good and bad hackers will likely start probing for it.

Michael Stepankin, the bug bounty hunter who found the recent vulnerability in the manager.paypal.com website, is one such hacker. He was inspired by the research from Frohoff, Lawrence and the FoxGlove researchers and even used one of the tools they produced to build his attack payload.

After determining that the PayPal site was vulnerable to Java deserialization, Stepankin was able to exploit the flaw in order to execute arbitrary commands on its underlying Web server.

"Moreover, I could establish a back connection to my own Internet server and, for example, upload and execute a backdoor," he said in a blog post. "In result, I could get access to production databases used by the manager.paypal.com application."

After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate. It turns out that another security researcher reported the same issue a few days earlier, proving that people are currently scanning for this type of vulnerability.

Developers should make sure that they update the Apache Commons Collections library used by their Java servers and apps to at least versions 3.2.2 or 4.1, which address this issue. However, it's likely that this type of vulnerability exists in other libraries as well, waiting to be discovered.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?