There was a critical-severity flaw in PayPal that an attacker could leverage to delete any account and create a new one with the same username.
But the payment processor learned about the vulnerability, discovered by Ionut Cernica, an independent security researcher working with Vulnerability Lab, and fixed the issue.
The remotely exploitable vulnerability didn’t require any interaction from the victim.
“After testing the web application paypal.com I discovered that if you have a U.S. account and the following page is visited, you can add a new email from that page. The problem is even [though] the email you try to add to your account is already registered with PayPal the new email will be added into your account as unconfirmed,” the researcher noted.
“After you added an existing email to your account, if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too,” he said in his report.
Once the targeted account ended up removed, the attacker could have registered a new account with the username of the account just deleted. However, the new account would have no balance and it would remain unconfirmed.
According to Vulnerability Lab, the issue first went out to PayPal in late April, and the company claimed to have addressed it in May. However, Cernica said he was still able to exploit it later on.
Experts said PayPal properly addressed it this month.