Leave a comment

PayPal had a critical security bug that was wide open until last month

PayPal had a critical security bug that was wide open until last month
Denys Prykhodov / Shutterstock.com

Computer security is a tough gig. There are thousands of potential problems floating around that hackers may or may not be able to turn into a successful attack. They can't all be as obvious as Lenovo's recent use of the password "12345678" for security in its SHAREit app.

Security researchers and software developers have to decide which potential problems get their attention first, and sometimes they guess wrong. That's what happened recently to payment and money-sharing service PayPal.

PayPal just had to rush out a fix to a problem that security researchers have known about for years. It's called Java deserialization and it takes advantage of the way programs written in different languages communicate.

The details are complicated, but using this bug a researcher named Michael "Artsploit" Stepankin was able to get access to PayPal's servers through its own PayPal Manager site. From there, he could trick PayPal's servers into communicating with his servers or he could even upload and run malicious code.

After he informed PayPal of the situation in mid-December, PayPal did fix the problem. However, security researchers say it will probably appear again in a number of other areas and services.

As we said earlier though, security researchers have known about this as a potential problem for years. So, why is it still around?

Given the way Java deserialization works, most security researchers decided early on that it was a theoretical danger that couldn't be used in a real attack. Even a year ago when researchers Chris Frohoff and Gabriel Lawrence proved it could be done, the security community still said it wasn't a serious concern.

In fact, PayPal claims that part of the reason it didn't fix the problem earlier is because it never heard about Frohoff and Lawrence's work. And it's true their demonstration got almost no coverage in the tech press.

On the plus side, there's no sign that hackers ever took advantage of the flaw while it was active. Still, it's a good reminder to keep an eye on your finances and other information for any transactions or other strange activity.

Next Story
Mark Zuckerberg posted a picture of his closet. Steve Jobs would be proud
Previous Happening Now

Mark Zuckerberg posted a picture of his closet. Steve Jobs would be proud

Health insurer's hard drives missing, almost a million people at risk
Next Happening Now

Health insurer's hard drives missing, almost a million people at risk

View Comments ()