PayPal is the latest victim of Java deserialization bugs in Web apps

The company's Java-based, back-end system was vulnerable to an attack that researchers have warned about for a year

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago.

In programming languages, serialization is the process of converting data to a binary format for storing it or for sending it over the network. Deserialization is the reverse of that process.

Deserialization is not an issue in itself, but like most processes that involve processing potentially untrusted input, measures need to be taken to ensure that it is performed safely. For example, an attacker could craft a serialized object that includes a Java class that the application accepts and which could be abused for something malicious.

Security researchers Chris Frohoff and Gabriel Lawrence gave a presentation about  this type of attack at a security conference a year ago. Then in November, researchers from a company called FoxGlove Security published a proof-of-concept exploit for a deserialization vulnerability in a popular library called Apache Commons Collections that's included by default on many Java application servers.

Security researchers warned at the time that thousands of Java-based Web applications, including custom-made enterprise ones, are likely vulnerable to this attack and said that both good and bad hackers will likely start probing for it.

Michael Stepankin, the bug bounty hunter who found the recent vulnerability in the manager.paypal.com website, is one such hacker. He was inspired by the research from Frohoff, Lawrence and the FoxGlove researchers and even used one of the tools they produced to build his attack payload.

After determining that the PayPal site was vulnerable to Java deserialization, Stepankin was able to exploit the flaw in order to execute arbitrary commands on its underlying Web server.

"Moreover, I could establish a back connection to my own Internet server and, for example, upload and execute a backdoor," he said in a blog post. "In result, I could get access to production databases used by the manager.paypal.com application."

After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate. It turns out that another security researcher reported the same issue a few days earlier, proving that people are currently scanning for this type of vulnerability.

Developers should make sure that they update the Apache Commons Collections library used by their Java servers and apps to at least versions 3.2.2 or 4.1, which address this issue. However, it's likely that this type of vulnerability exists in other libraries as well, waiting to be discovered.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?