| Product | Paypal Android Application |
| Severity | High |
| CVE Reference | CVE-2013-7201, CVE-2013-7202 |
| Type | Paypal Remote Code Execution |
A vulnerability was discovered on the Paypal Application for Android, the vulnerability allows an attacker to gain code execution via a man in the middle attack.
PayPal for Android allows users to send and receive money on Android, it contains similar features of the web based PayPal application. The PayPal Android app is vulnerable to remote code execution via man in the middle attacks.
Remote code and command execution in the context of the application. The API secrets needed to interact with PayPal’s API are stored in cleartext in the shared preferences file. These could be stolen using this exploit and then used to call methods from the PayPal API.
PayPal uses a webview that ignores SSL certificates, the same webview has a Javascript Interface implemented. The combination of the two bugs allows attackers to man in the middle connections to execute code on the device.
Do not use the Paypal android app on public Wi-Fi networks. Update your device to Android 4.2 or later if possible.
Changing from proceed() to cancel() will stop the webview accepting invalid SSL certificates. This will prevent attackers MITM the webview and injecting malicious code.
Public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.cancel();
}
}
The class WebHybridClient.java implements a webview. If it hits an SSL error, it will continue with the request, rather than displaying an error or killing the connection. This means an attacker can MITM HTTPS requests through this webview.
public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.proceed();
}
}
The WebHybridClient class contains a method that uses a Javascript Interface. This allows an attacker to execute code on the device in the context of the PayPal application in android 4.1 and below.
public View onCreateView(LayoutInflater paramLayoutInflater, ViewGroup paramViewGroup,
Bundle paramBundle)
{
...
this.web.getSettings().setJavaScriptEnabled(true);
...
this.web.addJavascriptInterface(this.mListener, "ppAndroid");
...
return localView;
}
It was recently discovered that applications do not even need to have a Javascript Interface in their code to be vulnerable to this attack. This is because a Javascript Interface is implemented core webview code in Android versions before 4.2. Meaning that every single application that loads a webview over cleartext is vulnerable to this attack.
| Date | Summary |
| 23/12/2013 | Sent initials details of bug |
| 23/12/2013 | Paypal acknowledges bugs, pointing out that SSL issues are out of scope in their bug bounty |
| 29/12/2013 | Paypal request video PoC |
| 29/12/2013 | PoC video provided |
| 25/02/2014 | Paypal claim no risk to Paypal brand |