[PayPal Android] Remote theft of user session using push_notification_webview deeplink
State Resolved (Closed)
Disclosed publicly 2019-02-07T23:03:05.746Z
Reported To
Weakness Open Redirect
Bounty $6,800
Collapse

Summary by bagipro

A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls, headers containing sensitive data could be collected by a malicious actor.

Timeline
submitted a report to PayPal .
2018-10-15T23:12:35.265Z

Regards,
Frans

  • 0 attachments:
bagipro Activities::Comment
2018-10-15T23:35:59.776Z


joystick Activities::ReportTitleUpdated
2018-10-15T23:39:50.203Z


bagipro Activities::Comment
2018-10-16T00:55:49.362Z


chessmast3r Activities::Comment
2018-10-27T15:13:49.510Z


bagipro Activities::Comment
2018-11-06T16:59:07.224Z


druth Activities::BugNeedsMoreInfo
2018-11-13T17:28:56.066Z


bagipro Activities::BugNew
2018-11-13T17:31:04.932Z


bagipro Activities::Comment
2018-11-14T06:53:12.180Z


druth Activities::BugTriaged
2018-11-19T20:42:12.352Z


bagipro Activities::Comment
2018-11-22T20:26:00.621Z


space_pp Activities::ReportVulnerabilityTypesUpdated
2018-12-04T18:35:31.022Z


space_pp Activities::ReportSeverityUpdated
2018-12-04T18:45:57.436Z


Activities::BountyAwarded
2018-12-04T18:51:41.879Z


bagipro Activities::Comment
2018-12-04T18:56:34.468Z


space_pp Activities::Comment
2018-12-04T20:02:01.924Z


bagipro Activities::Comment
2018-12-04T20:06:49.839Z


greentea Activities::ReassignedToTeam
2018-12-05T16:44:26.946Z


greentea Activities::ReassignedToTeam
2018-12-05T16:45:29.660Z


bagipro Activities::Comment
2018-12-07T22:19:29.835Z


bagipro Activities::Comment
2018-12-24T18:04:14.126Z


space_pp Activities::BugResolved
2019-01-09T18:44:22.049Z


bagipro Activities::AgreedOnGoingPublic
2019-01-12T20:58:37.416Z


space_pp Activities::AgreedOnGoingPublic
2019-02-07T23:03:05.662Z


space_pp Activities::ReportBecamePublic
2019-02-07T23:03:05.783Z