PayPal is the latest victim of Java deserialization bugs in Web apps

The company's Java-based, back-end system was vulnerable to an attack that researchers have warned about for a year

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago.

In programming languages, serialization is the process of converting data to a binary format for storing it or for sending it over the network. Deserialization is the reverse of that process.

Deserialization is not an issue in itself, but like most processes that involve processing potentially untrusted input, measures need to be taken to ensure that it is performed safely. For example, an attacker could craft a serialized object that includes a Java class that the application accepts and which could be abused for something malicious.

Security researchers Chris Frohoff and Gabriel Lawrence gave a presentation about  this type of attack at a security conference a year ago. Then in November, researchers from a company called FoxGlove Security published a proof-of-concept exploit for a deserialization vulnerability in a popular library called Apache Commons Collections that's included by default on many Java application servers.

Security researchers warned at the time that thousands of Java-based Web applications, including custom-made enterprise ones, are likely vulnerable to this attack and said that both good and bad hackers will likely start probing for it.

Michael Stepankin, the bug bounty hunter who found the recent vulnerability in the manager.paypal.com website, is one such hacker. He was inspired by the research from Frohoff, Lawrence and the FoxGlove researchers and even used one of the tools they produced to build his attack payload.

After determining that the PayPal site was vulnerable to Java deserialization, Stepankin was able to exploit the flaw in order to execute arbitrary commands on its underlying Web server.

"Moreover, I could establish a back connection to my own Internet server and, for example, upload and execute a backdoor," he said in a blog post. "In result, I could get access to production databases used by the manager.paypal.com application."

After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate. It turns out that another security researcher reported the same issue a few days earlier, proving that people are currently scanning for this type of vulnerability.

Developers should make sure that they update the Apache Commons Collections library used by their Java servers and apps to at least versions 3.2.2 or 4.1, which address this issue. However, it's likely that this type of vulnerability exists in other libraries as well, waiting to be discovered.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

James Cook University - Master of Data Science Online Course

Learn more >

Mobile

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?