Paypal vulnerability can enable malicious hacker to delete any account

Currently, the vulnerability is already fixed. Ionut Cernica a security researcher found an interesting glitch in the user system of Paypal, it can allow anybody to delete any paypal account and create new one with the same username.

First reported by Eduard Kovacs, the vulnerability can be exploited remotely and did not require any user interaction.

“After testing the web application paypal.com I discovered that if you have a US account and the following page is visited, you can add a new email from that page. The problem is even [though] the e-mail you try to add to your account is already registered with PayPal the new e-mail will be added into your account as unconfirmed,” the researcher said.

“After you added an existing email to your account, if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too,” he further added.

The attacker can now create new account with the same  username once the account is deleted. Of course, the account will not contain any balance and is unverified.