PayPal servers are loaded with Java Bug called Java Deserialization which creates a security hole when applications securely talk to each other. Although, this bug was known to security researchers from the past few years, they assumed that it was too hard to exploit.
To understand this flaw deeply, let’s go through its work functions. Computer programs that need to share data may be operating in a virtual tower of confusion, as they are written in different programming languages to run on completely different computer systems that represent data differently in memory.
Serialization is a program which helps in the programs understands each other. Here the program collects and writes out all the actual data it wants to transfer in a standardized format, rather than just providing references to it that could be misinterpreted, such as memory addresses or file handles.
Last year, two researchers, discovered that a security hole exists when the data packets are deserialized-in other words, “Unflattened” so as to use the data within.
One of those bugs was discovered in cash-wrangling app of PayPal business website. The said serious flaw was lying in the PayPal Manager and has the potential to execute arbitrary commands on Manager.PayPal.com web servers. This could help hackers establish a connection to their own servers. If this happens, then the hackers could plant malicious codes on the databases and could also divert the transactions from the databases handling transactions to any server in the world.
Though, the bug presence has been informed to the PayPal authorities 10 months ago, they did not respond or tried to nullify it. They indirectly disclosed that the flaw was hard and almost impossible to break. Also they added that due to lack of media attention, their engineering team couldn’t focus on it.
But now, security researchers like Michael Stepanin and Mark Litchfield have confirmed that if they could hack the web servers of PayPal through this vulnerability, then any other hacking group in the world could also exploit this flaw.
What if the data exploited through this vulnerability falls into wrong hands?
Hope, someone from PayPal is listening to it!